When setting up certificate monitoring in Zabbix, it’s often best to create a “dummy” host within the Zabbix proxy group. This host uses the interface 127.0.0.1, which points to the Zabbix agent on one of the proxies in the group.

Because the proxy group always communicates with its own local Zabbix agent (regardless of which proxy is currently active), certificate monitoring is consistent. The dummy host is always "available", and alerts aren’t duplicated.

The loopback interface (127.0.0.1) used for s "dummy host"/agent should be configured without encryption, even if encryption is enabled.  Or some option to enable this behaviour ?

The reason is that when agents use different PSK identity/keys, it becomes impossible to manage consistent encrypted communication over 127.0.0.1.