SNI is not encrypted.

You need a box downstream of your ISP devices that encrypts all traffic out over a VPN. This is what I do.

> That’s always a good idea, but they’ll still be able to tell when someone is home because the outbound internet traffic will increase.

Sure, but not necessarily who is home, since they won't have the MAC address of your device(s) connecting.

Also, traffic volumes are a lot noisier of signals than you might think, given how much automated and background stuff we have these days.

So you need fake upstream downstream traffic, put your router in a lead box, use DNS over https, and then all that for nothing because the Amazon router was backdoored by the NSA too