The situation is actually somewhat more complicated than this.

ECH gets the key from the DNS, and there's no real authentication for this data (DNSSEC is rare and is not checked by the browser). See S 10.2 [0] for why this is reasonable.

[0] https://tlswg.org/draft-ietf-tls-esni/draft-ietf-tls-esni.ht...