@WGrobler as always these are excellent points, and I’ve been thinking somewhat along similar lines recently.
The good news is I think this may be solved with the work I’ve been doing on the open tunneling protocol. Basically I think I’ve designed a protocol that should allow all the functionality of boringproxy, but without the server and client needing to trust each other. So the server only connects domains to tunnels, and all the control over what happens on the other end of the tunnel is controlled by the client.
The coolest part is I think we’ll be able to still have web GUIs for controlling all these settings, but each client can have its own e2ee UI. So sensitive clients can be completely locked down with nothing exposed to the server, while still providing the convenience of remote control.
I’m still in the process of prototyping this, but I say we hold off on making other security changes until you have a chance to try it out and see if it accomplishes what you need.