Remember this is first and foremost about identification
Remember this is first and foremost about identification - what is done as a consequence is dependent on the application - inline decryption, out of band decryption, packet capture for later analysis, alerting, blocking...
However I doubt there are enough distinct observables in the visible portion of encrypted traffic (hellos, flow frequency and length) to be able to reliably classify malicious and legitimate traffic, and then there's the consequences of malware where attackers and malicious insiders use 'legitimate' tools and services to conduct their activities. A decent infosec team needs to be able to see across all of this.
And I maintain if as a corporate user you want to maintain privacy from your employers in office hours, use your smartphone/data - you do have one don't you??