You don’t need to decrypt your traffic at all with a TLS proxy. The CONNECT verb allows you to open a TLS connection through a proxy, and requires additional work from the proxy to mess with. This can be done over HTTP and over HTTPS, for example.

MitM is certainly a useful feature for many native tools, but you can easily give Squid or even Nginx an HTTPS certificate and allow devices to connect to it without compromising your data.

There are already companies that work with a TLS proxy. In fact, many of these companies also intercept TLS traffic, in part because they are required by law to decrypt all data. In America, for example, you have this with some financial companies.

Other companies use a magic middle box to stop suspicious traffic and detect malware. I’m not in favor of it because I don’t really trust any company’s IT department enough to intercept such sensitive information, but on the other hand I see the benefits. If you want to filter your network you have to implement things like SNI sniffer (which can be circumvented by domain interface which then won’t work in a few years) and not much other traffic can be monitored at all due to lack of support. Turning off things like DNS-over-HTTPS to enforce its own DNS filter and checking mail attachments is a great story for admins, although of course this isn’t a reliable way to secure your network because you’re just assuming the bad guy is using standard protocols.

However, here on Tweakers, you regularly see people freaking out about the potential for DNS encryption to bypass their filters, as if it wasn’t done over HTTP ten years ago by everything from advertising companies to malware farmers.

Setting up a proxy has been around in Android for a long time, so I don’t quite understand why WhatsApp would need it. I suspect that some proxies can’t handle WhatsApp (this kind of middle box is usually full of protocol errors) and this is a workaround.