> It's a fundamentally different threat model and most endpoint protection isn't looking for it because the behavioral signatures look like normal network activity.

Is it even possible for a prosumer home router like OPNsense or OpenWRT to detect this?

For the router itself? No. For the 'prosumer' admin? Sure.

How many prosumers or otherwise network admins filter outbound traffic though? And of the select few that do—how many are actually 'inspecting' say, outbound TCP/443 (e.g., monitoring traffic volume, looking up destination addresses, and/or inspecting SNIs) for example?