Currently, the provider could read the SNI value from the request, but work is done to encrypt that as well. This would allow them to see which Hostnamen was requested, but they cannot peek into the actual transmission (which is incidentally how domain fronting works: announce a different SNI than the actual requests Host header)
