@argv_minus_one They can, they have a tool to do that, and a VPN can save you from that tool they're using.
“It looks like your ISP is using gear from Palo Alto networks to intercept your SSL traffic based on the common name in the SSL certificate.” https://github.com/DNSCrypt/dnscrypt-proxy/discussions/1790#discussioncomment-1052610
They use it to monitor for CSAEM.
https://im.youronly.one/techmagus/philippines-isp-hijack-connection-2021206/
If you have a VPN enabled, their tool can no longer hijack your requests.
^_^