Also, moving termination off the endpoint server makes it much easier for three letter agencies to intercept + log.

Most responsible orgs do TLS termination on the public side of a connection, but will still make a backend connection protected by TLS, just with a internal CA.