I’m missing the point about a reverse-proxy being an SSL termination endpoint
Yes, that’s usually one of the jobs of the reverse proxy. Communication between the RP and an application container running on the same host is typically unencrypted. If you’re really paranoid about a rogue process intercepting HTTP connections between the RP and the application container, setup separate container networks for each application, and/or use unix sockets.