Currently zabbix_sender with TLS requires you to set PSK/CA on each host. For proxies you are allowed to configure a single PSK/CA as they execute instructions received from the server.
As a feature request I would like zabbix_sender to have an option to act like a proxy (single psk/ca for the machine sending the data)
We are running a configuration system which also gathers statistics and uploads them to a customer specific zabbix installation. If device A of customer A reports its statistics it gets uploaded via zabbix_sender to zabbix instance A, if device B of customer B it goes to zabbix B, etc.
To enable TLS for this communication would require all hosts to have the PSK/CA set to the same value at least on the same server. Assigning each host a unique value will require complex a complex administration system (more than 100.000 hosts on less than 100 servers)