Interception is impossible, since traffic is encrypted at the application level, not the OS. Your only way to intercept is mitm. But if the application uses certificate/public key pinning, then mitm won't help you either.

I probably won’t reveal the secret, but in the modern world tls goes only on the balancer-application section. But from the balancer to the application server itself, everything is open, and even mirrored several times to analyzers, pass dpi, etc. The same freedom is created in the user device itself when moving information from user actions to the tcp / ip stack.

Well, it depends on which application this TLS organizes and supports such mitm and no,
for example, Firefox and Chrome put the session key in the file specified in the SSLKEYLOFILE environment variable
And wireshark can work with this key