@youronlyone the “the user is none the wiser” part here is misleading, I think. The example you linked to in your replies show that you had to deliberately ignore an invalid TLS (SSL) certificate before you received the “modified” request.
It’s true that using HTTPS and encrypted DNS without a VPN means ISPs can still monitor your traffic—but they will only get the IP address and the encrypted traffic. Sometimes the domain name, etc., still leaks, I admit I'm not expert in that part, but it's an exaggeration to say that they can modify your HTTPS-encrypted traffic so long as you stick to valid certificates. (Or, as another reply suggested, unless your device is compromised, say by having its trusted certificates store maliciously modified.)
When you ignored the invalid certificate warning, that's when your ISP was able to decrypt your traffic, basically telling them “sure, you can communicate with me as if you were the server I was expecting”. The government warning said as much.