We chose to use some common configuration for deploying Envoy to drive consistency there, but App Mesh itself is a custom control plane for managing Envoy.
Here is my mental model of a traditional deployment (EKS):
Service[Type: LoadBalancer] -> Deployment[Pod]
How does Itsio fit into this scenario, or what does it replace?
Istio is for east/west traffic within your K8S cluster, designed to connect your services together by moving all the network traffic through the Envoy proxy. It is usually done by wrapping your deployments with an extra sidecar pod (automatically using K8S APIs) that intercepts all the networking to other services and pods. You would still use a load balancer or ingress to route external traffic into the cluster, although there are options like Heptio Contour that also use Envoy for this.
This provides a single data and control plane to centralize all network reliability, security, service discovery, and monitoring.
Smaller clusters or services don't need it. The docs overview page is worth a read: https://istio.io/docs/concepts/what-is-istio/
Istio offers much more, but as far as anything but coarse-grained "this service will never need to talk to this other service" access control, I'd still much rather write the logic in the code where it has access to a lot more domain knowledge.
Personally, I think that Istio is overly complex but then so is k8s :)