Yes, that's correct. The purpose of the WebPKI and TLS is not to protect against this form of attack but rather to protect against compromise of the network between the client and the server.