OP, I have been facing the same situation as you in this community recently. This was not the case when I first joined Lemmy but the behaviour around these parts has started to resemble Reddit more and more. But we’ll leave it at that.

I’ve noticed that behavior is split between communities. Lemmy gets a bit weird because communities are usually hyper-specialized, and sometimes instances themselves cultivate different cultures (e.g. lemmy.ml is usually for privacy enthusiasts, since that’s where c/privacy is hosted). That, with the addition of specific idols for each community (e.g. Louis Rossmann for the selfhosted community) affects how each community behaves. That’s my theory, anyways.

I am interested in the attack vector you mentioned; could you elaborate on the MITM attack?

Basically the “this website is not secure” popup you see in your browser is sometimes due to the website using a self-signed cert. There’s no way to verify that that cert is from the website itself or from an attacker trying to inject their own cert, since there’s no CA attached to the cert. If an attacker injects their own self-signed cert, they can use that to decrypt your HTTPS traffic (since your browser will be encrypting using their cert) and then forward your traffic along to the real website so that from your perspective (minus the warning screen) nothing is wrong. I’m oversimplifying this, but that’s basically how it works.

Unfortunately, if you don’t have control over your network, you cannot force a DNS server for your devices unless you can set it yourself for every individual client.

I forgot to mention in this post, but because of browser fingerprinting reasons I don’t want to use a custom DNS. Thanks for the suggestion though!