For the ssl.create_default_context() function, it states that, "if cafile, capath and cadata are None, the function *can* choose to trust the system's default CA certificates instead".
This statement is not clear as, if the values are None, there is no choice and the only elements available are system's default CA.
AFAIK, if the values are not None, it will not fall back to system's default CA even if the given CA does not match.
I propose to modify the end of the sentence with "the function trusts the system's default CA certificates instead".

There are choices beyond our control. For example the operating system may not have a usable trust store. OpenSSL's builtin paths may not be correctly configured to locate the trust store. The user may have configured her/his environment to load other or no CA certs.

Thanks for clarifying the choice. I understand that we could state :
" if cafile ... are None, the function falls back to user/system configuration (which is beyond this documentation)."

I modified the PR according to the source code: 
"if all three are None and SSLContext.verify_mode is not set to CERT_NONE, this function uses the system's default CA certificates."

The way the system is configured may depend on multiple parameters but I hope this statement is clearer and it disturbs me to read that the function "can choose", all the more for a security module.