For example, a megaphone beeline and Rostelecom insert their own banner. In fact, the dpi piece of iron does this, of course, not only that. Physically, at the L7 osi level, a parser works that inserts its data. However, dpi also works at lower levels and can change packets. See ipchains device and manuals like transparent proxy for how it's done.

An attacker can break in if he can physically or logically break into your network connection.
On the part of providers, this is DPI (deep packet inspection), which analyzes packets and can do everything from blocking a page to wedging banners.
On the part of intruders, these are attacks like "free wifi here" (we raise an access point, we sniff traffic through it).
There are also logical options - i.e. somehow force the victim to use the attacker's proxy. From attacks on existing networks (for example, ARP Poisoning), through hacking and flashing home routers, and to social messages like "you can protect yourself from hackers with one click, all you need is ..."

As an attacker, I can:
1. Inject malware onto your machine
2. Hack your router
3. If you are on a local network, I can listen to your traffic on the way to the gateway
4. If you are using Wi-Fi, it is even easier to do this
5. Send you a phishing link
6. Interception can be done at the ISP
...
100500 more ways
A packet from your machine to a web server can go through dozens of connections and at each link in this chain you can intercept / redirect / modify unencrypted traffic.
PS True, if the malware is on your machine, then it's too late to drink Borjomi.