Not necessarily. You are correct in that you can't look at the literal messages inside the packets anymore but you can make educated assumptions based on usage patterns and packet sizes combined with data that's already in the header. Just take a look at this almost 3 year old submission detailing someone's experience with the Great Firewall: https://news.ycombinator.com/item?id=10905076

Since that was 3 years ago, I suspect there's much more advanced network wizardry available today.

I.e. side channels. There are side channels for everything. And if you don't care about precision that much - e.g. you're willing to filter out anything even remotely resembling the actual thing you're after - then TLS isn't going to be a hard problem.

IIRC Iran throttled TLS connections to ridiculously slow rates to discourage their use.

The government can just block all encrypted connections. Either switch to unencrypted or enjoy no internet.

No, the DPI box or another network box should be the one that is actually sending the cert. You are only exchanging a cert with DPI and then the DPI will send it’s cert to your destination.

The client must trust the DPI cert for it to work.