The "inspection" part of DPI isn't limited to encrypted payloads. It's straightforward enough to look at application-level protocol headers and identify e.g. a Wireguard or OpenVPN or SSH connection, even if you can't decrypt the payload. That could be used as sufficient grounds to either block the traffic or punish the user.