"you can definitely do CA on the IP level and not in the domain level" - doesn't help with cabal certs. It's better to use a mesh ipv6 vpn and skip the redundant TLS layer. Non-cabal certs require another browser extension (and standard metadata for apps to know when to veto a cabal CA signature).