My understanding is that you can use split mode to only have the load balancer decrypt the server name section, and forward the actual session and key exchange down to the backend without doing double layer encryption.

If your load balanced doesn't support ECH, don't tell clients to use ECH.

The loadbalancer can force a downgrade .