Not saying they are malicious actors, but easy answer would be any Public WiFi anywhere. They all intercept DNS, less than 1% intercept SNI.

It is also public knowledge that certain ISPs (including Xfinity) sniff and log all DNS queries, even to other DNS servers. TLS SNI is less common, although it may be more widespread now, I haven't kept up with the times.

Citing a situation where DNS interception is good for the user isn't the best way to defend it being bad.

Isn't the vast majority of TLS connections using SNI today?

Yes TLS SNI is ubiquitous. I am referring specifically to TLS SNI metadata collection.

Popular web browsers send SNI by default regardless of whether it is actually needed. For example, HTTPS-enabled websites not hosted at a CDNs may have no need for SNI. But popular web browsers will send it anyway.

every single ISP in the world. it was a well documented abused channel.

they not only intercepted your traffic for profiling but also injected redirects to their branded search. honestly curious if you're just too young or was one of the maybe 10 people who never experienced this.

sending traffic to a third party like quad9 is much safer than to a company who have your name/address/credit card.

tls1.3 exists