Not so sure. Imagine you have a base64 encoded payload and it just happens to encode the forbidden word. Good luck debugging that, if the payload only gets silently modified.

I suddenly understand why it makes sense to integrity-check a payload that is already protected by all three of TLS, TCP checksum and CRC.

Good point, i take take that back. Having payload mutated would indeed be even more scary. Even more so if it actually contains real queries, imagine what could happen if /etc/hosts becomes /etc/*.