They don't need to. They can infer based on the size and timing of the transfers. Nothing for a while then suddenly a huge download? Probably a picture. If the sizes are unique enough they might even figure out which.
But how do they know what you're looking at and how are they using this information to do anything useful? I get you can probably differentiate between text and video, but I'm having trouble understanding exactly what information they would get from your bandwidth consumption.
If there's an image of size X and they observe a download of X bytes, they can infer you downloaded and possibly looked at that image. The file size alone might be unique enough to allow that.
What they do with this information is anyone's guess. Just viewing something could put you into some kind of government watchlist. They could use parallel construction against you.
They aren't going to see behind the TLS curtain, but they would see (assuming no DNS encryption) a domain name lookup followed by various traffic patterns; either:
Bursts (page loads) with near silence in between, maybe just some non-human-triggered traffic from scripts that poll.
Bursts (page loads) with quite a bit more of a human-triggered cadence in between, if lazy loading during scrolling occurs.
But mouse-tracking analytics probably result in a similar leak, if not better.
Even with encrypted DNS, the unencrypted host name is usually part of the TLS handshake (or the server wouldn’t know what certificate to present to you).
