great explanation, thanks!

It is very weird that tools that support “onion” ssl - some way that would allow one layer of encryption for your “allowed” mitm which would keep almost all the request encrypted with key for the server.