I think a big part of the problem is that tech giants centralised TCP/IP to a point that big hosting companies can easily take part in censorship under the guise of regulatory pressure.

Self-hosted relays that are open are what we need - Better yet, nostr-client-intergrated-relays with meek or something of the like. No point in having multiple relays hosted by a singe company - That's still a high degree  of centralisation, even if spread around the globe.

Can't remember which one it was, but I recall a desktop Nostr app with a built-in relay service, going over a tor tunnel. I have a feeling that's where Lume announced it was headed in the future - And I think that's the right step to go. 

Nostr on websites is great from an accessibility perspective (hail PWAs I guess), but accessibility and censorship-resistance are not the same thing. I'd say anyone using nostr solely via websites is setting themselves up for trouble, at some point, somewhere, for some reason. 

 I think you're right that DNS, TLS certificates, and ISPs are all chokepoints. Maybe something like i2p bridges or something could overcome that. But that's not specific to nostr, so we have the help of the broader freedom tech community available to us.