Devices you can't control are also a problem, but the endpoints are still the right places to implement filtering. You can't guarantee access to the data anyway, as they can always encrypt the content independently of TLS. Though they're more likely to pin their own certificates so they can't be MitM'd and simply refuse to operate in a network environment hostile to end-to-end encryption.
It's best to just wall untrusted devices off from the rest of the network so they can access the Internet as required to do their job but not interact with any of your other devices. Or alternatively, replace them with open-source devices you do control.
It's best to just wall untrusted devices off from the rest of the network so they can access the Internet as required to do their job but not interact with any of your other devices. Or alternatively, replace them with open-source devices you do control.