My thought is that with SNI (Server Name Identification), the domain is transmitted in plaintext as is. Encrypted SNI is a long way off unless everyone starts letting a 3rd party like Cloudflare manage everything.
To cut Comcast out of the loop requires the OS/Browsers to switch away from Comcast's DNS, and a huge amount of the web terminating at generic Cloudflare IPs with Encrypted SNI.
To cut Comcast out of the loop requires the OS/Browsers to switch away from Comcast's DNS, and a huge amount of the web terminating at generic Cloudflare IPs with Encrypted SNI.