I think they think they can just block them on a case-by-case basis, but that is harder than they think it is because IP bans will get most of AWS, and therefore the Internet blocked, and then the only option is an HTTPS MITM proxy, which would then break any site with cert pinning.
Past options that don't work anymore include SNI inspection (replaced with ESNI/ECH, but wasn't hard to circumvent; say you want good.com when you're doing SNI, say you want evil.com when sending a Host: header), and DNS blocks (but now DNS-over-HTTPS is a thing, so as difficult to control at the state level; would require a court to compel in-state DNS-over-HTTPS providers to publish fake facts, which violates federal law; but irrelevant because AWS, Cloudflare, and Google don't have any assets of value in Utah).
I'd say it's basically impossible to ban VPNs. If it happens, you'll see random VPN employees detained/arrested while on vacation or something like that, unless the news cycle blows over. China can do it, because they can just kill tech execs that won't cooperate, but we typically don't do that in the US.
Past options that don't work anymore include SNI inspection (replaced with ESNI/ECH, but wasn't hard to circumvent; say you want good.com when you're doing SNI, say you want evil.com when sending a Host: header), and DNS blocks (but now DNS-over-HTTPS is a thing, so as difficult to control at the state level; would require a court to compel in-state DNS-over-HTTPS providers to publish fake facts, which violates federal law; but irrelevant because AWS, Cloudflare, and Google don't have any assets of value in Utah).
I'd say it's basically impossible to ban VPNs. If it happens, you'll see random VPN employees detained/arrested while on vacation or something like that, unless the news cycle blows over. China can do it, because they can just kill tech execs that won't cooperate, but we typically don't do that in the US.