All encrypted traffic is decrypted by the recipient, sure. Who's "the recipient" though? Do all your services handle tls, or do you terminate tls at an haproxy/Nginx/etc before hitting the actual services? How many hops do the unencrypted payloads take inside your network? Do you agree that it would be best to reduce that number to a minimum? There's ways to work around this, but they have trade offs associated with them, and they do have a reasonable requirement here.