[mtmail]

There's a whole industry of data brokers buying data https://www.cbsnews.com/sanfrancisco/news/verizon-att-end-lo... It can be deals with apps/widgets/website/software-libraries or even buy-out of an app. https://www.denverpost.com/2019/07/28/online-data-for-sale-p...

You're right with ISPs. These days they'd only be able to see the domain name. That part of the HTTP header is unencrypted. Man-in-the-middle won't work, as you said, due to certificate pinning.