> tl;dr the only reason to care about SNI in TLS 1.3 is if you are a privacy freak. It's not a security concern.
You also need to care about SNI if you're trying to evade a firewall in a repressive country that blocks encrypted messaging services and VPNs that are used to bypass censorship and surveillance. Some of those firewalls were looking at the SNI to figure out if the traffic was something they wanted to block or not.
They can still check the SNI string, since initial encryption is negotiated with the proxy.
They can't subsequently masquerade as the actual SNI host since they don't have a valid cert for it, but by that point they've probably learned enough to terminate the connection and log the attempt. Well unless they have their root cert in your browser...
SNI encryption is useful against ISPs and casual snooping, not state actors.
Trying to circumvent a repressive regime's laws is not a great design spec for the internet. Why not make Tor mandatory for all TLS 1.4 connections?
Either they'll use traffic analysis to find out where you're going anyway or they'll just ban all HTTPS connections. Not that they need to as Russia is fine with just blocking whole IP ranges, making SNI irrelevant.
(Incidentally, your ISP can still learn what hosts you visit with traffic analysis)