Is your point that TLS is typically decrypted by a web server rather than directly by the app the web server forwards traffic to?