Its sad that interception receives such a bad reputation because of broken security products. Yes, a proxy is a weak link. But if implemented properly and in a trustworthy way, then its better than having endpoint security, which is often worse. And no, the proxy does not belong on the endpoint itself! If organizations with proxy interception are not able to scan traffic, they will just drop the traffic. Instead of using MITM mitigations that don't allow interception at all, we need better user experience (with choice) and safe(r) products.
I have a little side project where I try to implement a proxy for myself. I want to remove ads and be able to scan and cache downloads. I trust the adblock plugins and endpoint security products far less than a MITM proxy, I wrote myself.
For various reasons: you probably have more endpoints on your network than proxy servers and thus a bigger attack surface. Keeping the endpoints up-to-date is harder (e.g. laptops that are not permanently attached to the network to receive updates). If your endpoints are workstations, human interaction (e.g. installing malicious software, opening malicious attachements) and the overall complexity of the system (e.g. GUI, multiple users) makes it weaker than a central, dedicated, isolated, stripped down and locked down set of proxy servers. And finally, process isolation is really, really hard (if your countermeasure _only_ runs on the target (endpoint), you already weakened your position).
I have a little side project where I try to implement a proxy for myself. I want to remove ads and be able to scan and cache downloads. I trust the adblock plugins and endpoint security products far less than a MITM proxy, I wrote myself.