This statement would be more meaningful had it been phrased something like this: "encrypted web traffic, which most adversaries cannot snoop on, exceeds 90%".
There will always be an adversary, far powerful than you, with an ability to snoop on your traffic - be it your ISP, the other endpoint, or owners of the infrastructure that you consume, but do not control.
You portray encryption as a magical energy. To the best understanding of cryptanalysis research, current TLS is secure. Hypothetically it could be broken and publicly unknown, but this is not a matter of "power".
> the other endpoint
It's not sensible to say encrypted web traffic is snooped on by an actor with direct access to the plaintext.
The simple statement made in OP, does not capture the complexity of operational security, which is very difficult to get right. I was merely trying to illustrate that.
For e.g., even though TLS is end-to-end secure (and I don't doubt that), a website that uses CloudFlare front [1] is susecptible to its secure traffic being intercepted by CloudFlare, because by-design TLS would be terminated at CloudFlare servers'. However, note that the end-user does not notice that, rather he sees his traffic end-to-end encrypted.
> a website that uses CloudFlare front [1] is susceptible to its secure traffic being intercepted by CloudFlare, because by-design TLS would be terminated at CloudFlare servers
Keep in mind, this is also true of cloud providers. By running the hypervisor, AWS has full access to your instance's RAM and could snoop on traffic if they pleased.
A compromised service provider is a risk you're accepting unless you own and physically control the hardware terminating TLS. Whether this is an acceptable risk comes down to your threat model. (As do so many things in infosec.)
There will always be an adversary, far powerful than you, with an ability to snoop on your traffic - be it your ISP, the other endpoint, or owners of the infrastructure that you consume, but do not control.