Re: I'm confused
Unless the host uses Server Name Indication, I gather. A blog site might well use a wildcard SSL certificate to cover its subdomains, multi-tenanted HTTPS is likely to use SNI with unrelated domain names.
As it's apparently sent in clear text at an early stage in the handshake, I suspect there may be a MITM attack that would cause the browser to emit an SNI even if one were not required by the server.
If the web server is correctly implemented (nginx does this AFAIR) the initial connection can contain one SNI visible in plain text, but after TLS is negotiated the browser has to start the request all over again and can give a different, this time TLS protected, SNI.
Thus the visible SNI could be completely-innocuous.com but the secret one could be trump-porn.org. Whether any browser actually supports this split site working is left as an exercise to the