I agree for the most part, however I think using lightning one could theoretically come up with an incentive structure to make this work, if traffic out of the tunnel is encrypted(unencrypted traffic is an issue so point well taken), tls interception could be an issue, but would throw warnings on most modern browsers/clients. But I do agree this could cause a lot of issues with non-technical users. I worked on the AWS cloudformation team as a Security engineer, I may go check out your github and see if I can help out in anyway.