[sfRattan]

I'm not imagining filtering based on the path. Even with https, hostname is visible before the handshake. And even when Encrypted Client Hello is widely implemented, it's also easy enough for network providers to drop any ECH packets from devices flagged as "for children" and signal to those devices that their handshake must reveal the hostname, at least to the router doing the filtering.

[gzread]

What's the standard signal for "please disable CH encryption because your network wants to spy on you" and why would any device respect it?

[sfRattan]

It's not: disable CH encryption because your network wants to spy on you.

It is: disable CH encryption because the owner of this device, to whom we are leasing connectivity, has set the "isChild" flag for this device to true in her account with us so that we can filter the Internet for this device.

There's no such standard signal right now. But I'd prefer such a signal strongly over code that I cannot control running on my own device to enforce legislation. If we're going to enforce these things somewhere, code on my devices is the last place I want that enforcement to happen.

> ...and why would any device respect it?

Because if they do not the ISP drops all further packets and the connection dies.