You're describing the world everyone wants. I would much rather OS's move to a system with a filtering API so I can get real errors like "connection not allowed by local security policy" instead of pretending like it works and then dropping packets or getting garbage responses from the appliance pretending to be my server.
Of course what we'll actually get is networks which require[0] your OS to attest that you are running in Secure Boot mode, so the network can ensure you are running an "approved" OS that prevents you from running VPNs or Tor or bittorrent or E2EE messengers...
the idea is that device traffic would be inspected by the OS via some subsystem that encrypts/decrypts application traffic. I'm talking out of my butt here, I am not an OS person or a dev.
I imagine instead of the web browser encrypting traffic before sending it on the wire, it would send it in the clear to a process on the OS ("Endec"? I'm trying to think of some word like codec or modem for encrypt/decrypt).
This process would be the hub for all endpoint encrypt-decrypt operations, and the place where all apps would trust to do the work. That way, inspection tools desired by the user (or in corp land, the admin) could hook in and do filtering.
Applications that don't want this, such as say, Signal or other hyper-privacy tools, could choose their own trust store and bypass it, if permitted by the OS admin. Otherwise, corps could block raw access to the NIC.
