They may not be able to inject HTTPS, but they can offer an API that will map IPaddress:port to identity (as one mentioned here[1]), for only a bit more overhead than tampering with HTTP headers and without breaking TLS.
If they want to make some possibly non-standard protocol adjustments they mutually understand, they should be able to inject it, too. Researching the protocols/crypto to understand that more and trying to produce a POC are side-projects on my list, maybe some day.
The root of the issue is that your ISP often knows who you are, every site you connect to knows who your ISP is, and they have incentives to trade notes on you and few reasons not to.
If they want to make some possibly non-standard protocol adjustments they mutually understand, they should be able to inject it, too. Researching the protocols/crypto to understand that more and trying to produce a POC are side-projects on my list, maybe some day.
The root of the issue is that your ISP often knows who you are, every site you connect to knows who your ISP is, and they have incentives to trade notes on you and few reasons not to.
[1] https://news.ycombinator.com/item?id=10357583