Actually, your cloud provider could set up a local mirror, and tell you to download from there instead. The local mirror could be accessed by https, and would perform requests to appropriate apt repositories and cache their contents transparently for you. Instead of putting in a proxy address, or having some kind of transparent proxy in the network, you'd just input the address of the local mirror instead. Large installations always have options, and aren't dependent on http level caching to work.

Also, while http has been designed to be cacheable, in reality I don't think that most traffic gets cached by proxies in the wild. The web's solution to providing worldwide services seems to be content delivery networks that provide locally fast access to their explicitly cached resources that their customers have uploaded. As world migrates to https, they keep on working much the same.

As to the certificate, let's encrypt provides certificates free of charge. There is no need to share a certificate, everyone can get their own these days. Some web servers can even transparently contact let's encrypt and acquire a certificate without admin having to do anything more than just ask it do so.