Banning encryption that the device owner can't control actually seems like a great idea. So e.g. for TLS it should be easy to install a CA and MITM filtering proxy as an admin user and all applications must trust that CA.

I non sarcastically agree that communication obfuscation should not prevent owner access to comms, but that’s not really the point I was making.