"If the schools, libraries, and other filtered access points own the client machines they can install their own CA into those machines and have the proxy software intercept and generate certificates." (From the comments.)

That's the first time I've seen a man-in-the-middle attack described as a technique for improving security.