That'd pop up a mention of 'failed update' whereas in plaintext you can simply refuse to provide any packages.

That doesn't make sense? If you have the capability to refuse all http packages, you can still refuse all https packages coming from debian. My comment was for refusing specific packages in https. Buffer the first package and ack. Then wait the rest, count the bytes. If bytes == N then I know this person is downloading tor, refuse the first package such that they can never download tor.

At that point, the client has initiated a specific update or install that fails. This is different from simply censoring the existence of a package.