You can do kernel TLS for sendfile at least, maybe for io_uring too? Probably not for HTTP/2, but I'm not convinced multiplexed tcp in tcp is a good protocol for the public internet anyway.
That's indeed possible, if one has a TLS stack which supports KTLS. I however don't think there's not too many of those yet, and probably even less so in Rust where both the library and a potential Rust wrapper would need to support it.