One of the easiest ways to do “DPI” (all relative how “deep” it is) is just to look at the SNI hostname in the TLS Client Hello.
In TLS and QUIC without Chaos Protection, middleboxes can sniff the SNI hostname by just reading a fixed offset into the stream.
Chaos Protection for QUIC breaks up the Client Hello into multiple frames and shuffle them (perfectly valid from a real QUIC implementation’s perspective).
So middleboxes would have to jump from “reading a fixed byte offset” to “fully implementing QUIC frame reconstruction logic and do that for every stream”, which is far tricker.