I believe that you can make a new APN entry, copying the provided settings, without the second tethering-only APN, if you want, which gets around it too.
AFAICT the reason for this second APN is to allow providers to discriminate between phone-originated data and tethering for charging purposes. And they seem to have persuaded google not to allow people to edit it :/
But variety of applications can install their cert (with ofc user permission via dialog) and snoop traffic. At least unencrypted.
The way they do it is installing vpn and reading stuff in-between
https://play.google.com/store/apps/details?id=app.greyshirts...