Yes, indeed, there is a difference between TLS 1.x and QUIC. QUIC already encrypts the first packet, the client hello, wich contains the SNI. But the encryption key must be known by sender and receiver. How should there be a key agreement for the first packet? This is why the key is known by a person in the middle and the client hello, including the SNI, can be encrypted. Of course, this is an additional load on the MX. I do not know if the MX supports this.
https://quicwg.org/ops-drafts/draft-ietf-quic-manageability.html#name-server-name-indication-sni
https://www.opentech.fund/news/a-quick-look-at-quic-censorship/
One thing remains: 0-RTT. Both, TLS 1.3 and QUIC, allows for session resumption. The keys from a previous session are reused for a new connection. There is no TLS negotiation, the first packet contains the HTTP request. This reduces latency, but is obviously not optimal regarding security. 0-RTT lacks for forward secrecy. I assume, on many webservers this feature is disabled. Apache and Nginx have disabled 0-RTT by default.
Edit: Just a short test: Content filtering seems to work with TLS 1.3 but not with QUIC.