I'm absolutely not offering to implement it, but it does seem like one ought to be able to proxy the inner hello to the origin so the owner of the shared IP address doesn't actually get to inspect the content of the TLS stream.
So if you have a few folk who each want to self-host, you can group together to provide ECH across all your sites without leaking to each other more than you leak to any passive attacker today.
So if you have a few folk who each want to self-host, you can group together to provide ECH across all your sites without leaking to each other more than you leak to any passive attacker today.