Slightly off-topic. I was thinking if people can enforce a model where users can choose to delegate encryption work to OS or some kind of network gateway, and inspection is allowed before encryption happens, this would be a clean and built-in solution for the inspection issue.