Re: They can only do that if...
Unfortunately, no.
On a visit to the KAUST campus in Saudi Arabia a few years back, the network connections available there MITM'd every HTTPS request with valid/signed wild-card certificates they were able to obtain from "trusted" CAs.
HTTPS only works if you trust the CAs your browser trusts. When some of those CAs give out certificates to government agencies for domains the government has no business having certificates for, then you really can't trust HTTPS.