> HTTPS everywhere protects against the mass surveillance
To some extent it does. For simplicity, let's assume it did, completely. Your choices then are:
A) The NSA can tell that someone in your company viewed catvideos.com.
B) The NSA can't tell that someone viewed catvideos.com, and you get infected with malware that somebody put on catvideos.com.
It's not clear that (A) is always preferable. Obviously that doesn't mean you should never use TLS. It means there is a tradeoff.
> there's always a way to get around the firewall
No, that's the difference between an actual real firewall, which is installed on the network at the demarc, and "personal privacy software", which runs on the host. A firewall has two network ports. One connects to the internet (or other "outside" network) one connects to the internal network. There is literally no physical path for signals to travel except through the firewall. There's physically no way around a hardware firewall, no wires for packets to travel through. All packets go *through* the firewall.
You can also do some checks on the local host, but given you must assume the local host is compromised, you don't trust the local host to identify the malware that it's infected by. Any anti-virus anti-malware on the host is *always* auxiliary to monitoring from a trusted system. Also, the local host obviously can't detect anomalous botnet traffic when a worm infects your network, sweeps trying default and common passwords across your network, etc.
You get much better security by having dedicated security appliances (some of which cost $20,000 or more, not practical to run one for each desktop and laptop), managed and monitored 24/7 by the SOC, looking at a holistic view of the entire network, rather than trusting a potentially infected laptop, run by an accountant, clerk or manager, to protect itself. Frankly, your perspective of security is very much that a typical home user in 1995. That's not how it's done in the enterprise, and that's not how its done in 2017. Our SOC, as an example, employees about 200 security specialists. CorpSec is probably another 40 specialists. We've moved a bit beyond installing McAfee and thinking we're protected. Those 200 specialists in the SOC can't monitor and manage things nearly as well if they can't see anything, though. 10,000 encrypted TLS connections doesn't provide many actionable events.
Btw, you mentioned "(as opposed to IP / site blocking)". Where do you think the IP blacklists come from? They come from the SOC, both ours and Cisco TALOS. They are based on what we learn about traffic flows from those IP addresses - because we can *see* the malware being delivered from those IPs.