I have found

https://dev.mysql.com/doc/refman/5.7/en/connection-options.html#option_general_ssl

--ssl-mode=mode

This option specifies the desired security state of the connection to the
server. These mode values are permissible, in order of increasing strictness:

DISABLED: Establish an unencrypted connection. This is like the legacy --ssl=0
option or its synonyms (--skip-ssl, --disable-ssl).

PREFERRED: Establish an encrypted connection if the server supports encrypted
connections, falling back to an unencrypted connection if an encrypted
connection cannot be established. This is the default if --ssl-mode is not
specified.

Connections over Unix socket files are not encrypted with a mode of PREFERRED.
To enforce encryption for Unix socket-file connections, use a mode of REQUIRED
or stricter. (However, socket-file transport is secure by default, so
encrypting a socket-file connection makes it no more secure and increases CPU
load.)

REQUIRED: Establish an encrypted connection if the server supports encrypted
connections. The connection attempt fails if an encrypted connection cannot be
established.

I can also require specific users using:
CREATE USER 'mysql_user'@'your_mysql_client_IP' IDENTIFIED BY 'password' REQUIRE SSL;
or
GRANT USER 'mysql_user'@'your_mysql_client_IP' IDENTIFIED BY 'password' REQUIRE SSL;


I am just trying to figure out the configuration
ssl-mode=PREFERED
GRANT USER'alice'@'0.0.0.0' IDENTIFIED BY 'password' REQUIRE SSL;

Does that imply
'bob'@'localhost' isn't required to use SSL?