Indeed, but SNI is more than 10 years old now so very well supported. I'd appreciate someone else correcting me if I'm wrong here, but I believe SNI is also enabled by default (where it's supported).

In any case, even without the hostname header, it doesn't take much research to find a short list of possible candidates (eg https://www.virustotal.com/en/ip-address/193.0.6.136/informa...).

Thanks for going deep into this, let me add though that it's not about an ideal world or bullying, HTTPS should be the default. Lets Encrypt managed that for us already, pretty soon it will be the default.