[Mister_Snuggles]

Usually.

Some middleboxes inspect the TLS session setup (e.g., SNI sniffing) and in some corporate environments they even decrypt the traffic (this relies on the endpoints having a root certificate installed that allows this functionality, which is something you'd see in a corporate environment).

[meindnoch]

Ok, but at that point there's zero benefit to DoH anyway.

[jen20]

There might be: even if my employer can decrypt traffic, there's no reason for either of my scumbag internet service providers to be able to.