It's not strictly about targeted attacks. There are people who modify unencrypted content that passes through their system regardless of what content it is. There have been several presentations on this topic, but I'll link the slides for one [0]. Here's an article about an ISP injecting ads in case you don't think this sort of thing happens in real systems [1].