> You don't own the communication as a network operator, unless you can also prove that you have control over the device.

Sure, but devices that you don't have control over shouldn't be permitted to communicate anywhere at all ever.

> IoT devices sometime rely on sending sensitive data to their backends.

Such as literally anything.

> This data may include API keys, client authentication secrets and such.

Yeah that sounds like sensitive data alright. It's all data that the owner of the device should have but often do not because of misplaced corporate greed.

> By having access to that communication, you may be able to spoof identity of the IoT device from a PC or a hacked-device.

So what? If I own the device and it's on my network then I have every right to everything on the device.

> Not very desirable from IoT vendor point of view.

And that right there is exactly the problem. IoT vendors don't want to really give up ownership of something they've sold.

There can be legitimate reasons for restricting access to IoT traffic, and data may not be user data at all. Imagine an IoT light bulb, that can be controlled via voice assistants and IoT vendor's mobile app. This bulb talks to some services. IoT vendor developed those services just for this product, If an adversary/hacker can see the communication protocol, and API keys, he can use same service to control, his own ESP32 project. He can even abuse the service in ways it was not originally intended. For example a competitor can ship counterfeit products, that work with your service.