Re: IWF Handwringing
A lot of TLS web sites are hosted on shared services these days: think anything on AWS S3, for example.
There’s separate work going on to prevent them being enumeratable (i.e. to prevent the domain names being disclosed via the certificate when you connect to them)
This will lead to some suggesting the answer is to “man in the middle” every TLS connection, I’m sure.