TLS everywhere is fine, but it's not the point.
Somewhere around 2019 the discourse on "is it on TLS?" finished. The answer is yes. Browsers warn you when it isn't. Let's Encrypt removed the last good excuse not to. New protocols start there. Even internal-only services are mostly there. Good.
What's less talked about is what it means now that TLS is "everywhere." Because the actual answer is: less than people think.
What TLS gives you
A confidentiality and integrity guarantee for the bytes between two parties that have already established trust by other means. The TLS handshake is not the trust step. The TLS handshake assumes trust, and the trust comes from the certificate authority system, which you didn't choose and which has its own complicated history.
None of this is news. But it means the value of "the connection is private" is bounded by everything that happened before the connection started and everything that happens to the bytes after they arrive. In practice that's almost everything.
What changes
What actually changes when a connection becomes private isn't the connection. It's everything that gets to live next to it. You can now stop maintaining a separate "secure" path and a "fast" path. You can let your sidecar speak the same protocol as your client. You can stop coding around an L7 load balancer that needs to read your headers. You can move logic to the edge because the edge is no longer a place where things get observed.
These second-order effects are where the real value lives. The first-order effect — "now Mallory can't see what I send" — is barely the point.
Two things we keep doing
For all that, two old practices keep paying us back.
One: we treat TLS termination as a load-bearing architectural decision. Not a checkbox. Where does the TLS connection end? Who holds the private key? What runs on the host that holds the private key? Are those answers documented somewhere a new hire can find them in their first week? If not, you don't have a TLS deployment — you have a TLS situation.
Two: we still write down what's "inside" and what's "outside" the trust boundary, even when everything is technically encrypted. The encryption is doing one job. The trust boundary is doing every other job. Drawing it on the whiteboard is still worth the marker.