Makes me wonder if one could bypass the zero-rating scheme with a custom TLS tunnel that sends SNI headers for Facebook.com to your own server.

You probably can. But it would require a custom app that doesn't use the same cname for DNS resolution, SNI and then inside follow-up requests in the Host header. A web-browser would e.g. just use the same values for all of those, and then you either get charged or would end up at facebook.com.

It's also a preferred hardware inspection as its dead easy to rip the header than to seek mid-message to do message entropy/fingerprinting.

It's indeed pretty simple for TLS over TCP, since the whole ClientHello is part of the first packet and relatively easy parse or seek for. With QUIC it becomes a major pain, since it's not obvious anymore for middleboxes which QUIC packet is the first in a connection, and since Crypto data can be fragmented and reordered (Chrome is doing that by purpose even inside single packets). Therefore hardware inspection would require a pretty full-featured QUIC protocol parser and understanding.

It's easier to just block QUIC. (And UDP in general, might as well)

Interesting, thanks for the insight.