It's just not technically feasible, so there's nothing to lie about. They're not MITMing petabytes/sec across dozens (hundreds?) of companies and they haven't broken TLS1.3.
If I have a box at Digital Ocean and I'm communicating with it with TLS1.3 using a Let's Encrypt cert that I generated, where, exactly, does this magical MITM box come into play?
Of course it's feasible, you just intercept the traffic post-decryption on the cloud/server side. You don't control how/where your traffic to 3p cloud services is decrypted.
You keep saying this, but it's nonsensical. If I terminate TLS on the box that does processing, there's nothing to intercept.
And these days (especially post-Snowden), many (most?) companies encrypt data when sending between servers within their own (private network) infrastructure.
If I have a box at Digital Ocean and I'm communicating with it with TLS1.3 using a Let's Encrypt cert that I generated, where, exactly, does this magical MITM box come into play?