Why not resolve everything with UNIX sockets instead, that way you can have them named and scoped instead, hiding behind port 443, since it's mosly HTTP anyway.
* Given that you can easily start up your own CA in a test bed, just use different domain names.
* Or use IP addresses directly, given that IPv6 i pretty abundant it's easy to just listen on many addresses at the same time. A nice thing is to just put the port number is the last octets: fd01::9000, fd01::0003:5565. If it's HTTPS you always use port 443, if it's another protocol, use another port. With iptables/nft you can translate all port 443 traffic towards a /96 to a single IP.
* Proxies in Firefox seems to understand that though, which means you can have a proxy that translate to unix sockets locally. That means you can basically run it to a namespaced application, using only http://<service>.localhost.
works with curl, maybe there is a case to either build a proxy for UDS and expose them to a browser, or open a request ticket to browser maintainers to support UDS