I noticed this type of notification injection on a mobile phone in the EU for my own personal websites. It strongly pushed me towards implementing LetsEncrypt and redirecting my users to HTTPs. ISPs can't inject anything into the HTML if you force a secure connection (unless they've gotten the end user to install their CA and inject generated certs).