well yes! that is the entire point / methodology of TLS. Because you have a trust anchor, you can be sure that at the app layer the connection is "secure".

of course the L3/L4 can be (non) trivially intercepted by anyone, but that is exactly what TLS protects you against.

if simple L4 interception were all that is required, enterprises wouldn't have to install a trust root on end devices, in order to MITM all TLS connections.

the comment you were replying to is

> How is an attacker going to MITM an encrypted connection they don't have the keys for

of course they can intercept the connection, but they can't MITM it in the sense that MITM means -- read the communications. the kind of "MITM" / interception that you are talking about is simply what routers do anyway!