This is not correct. ISPs cannot see the actual URL being requested. Your DNS provider can see the hostname. The ISP may be able to see the hostname unless encrypted SNI is in place. The ISP can see the IP address you are connecting to.
You seem to know more about this than I do, but my layperson's takeaway from the Snowden revelations is that the NSA records every url we browse. Are you saying that's incorrect?
The only way NSA can record the URL without having infiltrated Kagi's datacenter, is for them to have broken the encryption algorithms behind TLS/HTTPS.
If that's the case, nowhere on the regular Internet is safe.
Snowden revealed that NSA has infiltrated all the major industry players (Apple, Microsoft, Google, etc.), also ISPs. But the only way NSA can know what your plaintext HTTPS URL is either by having access to your PC, or having access to Kagi's servers. Or as I said, that they've cracked encryption schemes everyone assumes to be safe.
