Well with TLS it stops (almost (1)) anyone from seeing which pages you access on a site (with exceptions(2)), but which site you visit is still accessable unless the server supports Encrypted server name indication (ESNI).
When using standard SNI (SNI is used so you can have multiple domains on the same IP address) your connection to the server is not encrypted until after the hostname of the server you are requesting is sent at which point the server knows which cert to use to encrypt the rest of the traffic. So you can pull the host header out of the pre-encrypted traffic and look at which site the user is connecting too.
1) When the webserver you are accessing uses services that terminate TLS before the origin server (Cloudflare and CloudFront to name two) then the operators of those TLS terminators might be able to see which pages on that site you visit
2) You might be able to determine which page someone is accessing via side channels, for example if example.com/naughtypage.html always returns a page of a certain size which is determinable you can presume they connected to example.com/naughtypage.html if the returning data matches that size.
They know what IPs you are connecting to and when, which is valuable. If Cloudflare serves the site you are connecting to (which is increasingly more common) they have access to all of the data you are transmitting.
Somehow I thought they meant more. I’m sure my ISP is after all of my data but I’d rather them than CF. Upon rereading their claim I suspect it is just about IPs and hostnames. I can live with that. Also my browser uses DoH.
ECH (encrypted client hello) is going to become mainstream pretty soon. But if you're doing something dodgy, hostname vs. IP is unlikely to make a difference anyway.
