[steego]

It doesn’t.

Many governments block TLS connections directly between a client and an external website. Instead, they’ll install a custom root certificate and all connections and intercept traffic, using the government root certificate for each TLS connection instead of the external website’s.

https://en.m.wikipedia.org/wiki/Deep_packet_inspection

[Nextgrid]

It still means that only whoever has the private key corresponding to that certificate can intercept and decrypt the traffic, so a third-party like Starlink should not be able to.

[steego]

Preventing third parties from intercepting encrypted traffic isn’t the point of deep packet inspection (DPI).

Organizations implement DPI to PREVENT outbound encrypted connections to unknown external servers to keep internal data LEAVING the organization.

In other words, the point of DPI is to prevent unauthorized encrypted connections to unknown servers.