Because that only protects you from a small subset of possible threats that end-to-end encryption protects you from like DNS hijacking and any MITM-type scenario.

Sticking it on a VLAN only controls access, not data secrecy.

▲

VladVladikoff 5 hours ago | parent [-]

Broadcasting internal IPs on public DNS records is also a suboptimal approach that leaks information to the public. Local devices should be routed over layer 2.

	▲	iso1631 4 hours ago \| parent [-]
		DNS challenge doesn't broadcast internal IPs. Certificate transparency does show up hostnames or wildcards though.