Domain fronting used to be quite effective at getting past SNI blocking. Extracting github.com out of a TLS packet is trivial but actually verifying the certificate requires compute power.

Major cloud providers have stopped making domain fronting an option (mostly because it was never supposed to happen anyway) but ISPs are never going to try to validate every single TLS certificate to see what traffic to block and what traffic to let through. The overhead would be enormous and people using custom certificate authorities (businesses and private persons) would get their communication blocked for no good reason.

It's also possible to get around SNI by using session resumption instead of doing a full handshake. 0-RTT TLS needs special attention because of replay attack risks, but it can speed up the network while at the same time avoiding SNI blocking once a session has been set up. QUIC offers a similar solution.

As far as I can tell, the tools normally used for traffic interception don't grow as fast as the tools for new communication. Support for certain protocols can take days to implement on the client side but weeks on the middlebox side, and that assumes your middleboxes get regular updates.

Worst case scenario, people just turn on a VPN to a place that doesn't block their apps and you lose all visibility of their network traffic. Implementing this stuff at scale isn't easy.

I'm pretty sure Telegram runs their own dns with dynamic addresses and you can create a bunch of certificates for weird host names to dupe SNI. Russia dedicated quite some resources to it and couldn't win. I don't think it had any chance unless they're willing to DPI 100% of traffic China style, but even then it's fundamentally impossible to tell random google cloud/aws website api traffic from telegram.

State-controlled DPI couldn't process 0.1% of traffic at the time.