Very true. I suspect that really starting with the assumption that someone is running a web server is probably too strong, as a lot of people are on shared hosting, or using some sort of containerization, or using some sort of "cloud" service that has TLS from their own CA built in if you can figure out what it's called and how to turn it on. The era of people just spinning up Apache (or nginx or whatever) is rapidly ending, and I think that any sort of "official" recommendation really needs to start with the principle of
It'd be really good if there were a good place to send people like in this recent thread of someone who wants to run hosting, knows that they should be providing HTTPS, but doesn't know where to start. I'm not sure where to tell them to start either.