eSNI still gives away the public key for the encrypted host name. You only get a privacy advantage there if you're going through a large aggregator (Cloudflare, maybe Google and AWS load balancers), in which case, you have maybe reduced the number of governments that can identify your users. That's useful if you're trying to evade the GFW and you can find a service provider they won't block, but that's assuming GFW doesn't just block DoH and the ESNI txt records over plaintext DNS. And it adds a reliance on a small list of providers that have a scary monitoring capability themselves.
Not really. TLS 1.3 at least does a certificate-free ECDH handshake, deriving symmetric encryption keys that are then used to transmit the certificate(s) and any further negotiation. You can deploy TLS 1.3 without leaking anything to a passive observer, and blowing up in the face of an active (MitM) observer.
That's a problem with the internet in general really. eSNI or not, "don't stand out" can only work if you aren't standing out in regards to the source and destination IPs your packets have.
You can easily run a proxy from AWS (or whoever) to wherever, and get don't stand out, without giving the keys to your proxy host. If you cycle those often enough, you'll have some degree of don't stand out. Of course, if you use eSNI, or SNI, you'll still stand out
