Routers fundamentally do not “know” files, only packets. For filtering files, you need an application which can understand files, therefore a cache can help you to save data transfers if not needed, but also can choose what forward to client following instructions and directive.
Is this MITM? Yup. Can be “transparent” for the clients (no need to configure proxy on device), and is YOUR MITM, not other one.
Limit is with TLS and HSTS. With TLS the content of file is forbidden to access without breaking connection, with HSTS server and client are not allowed to “downgrade” part of the connection from TLS protocol with plain HTTP.
The interesting approach of peek and splice is to catch what client is asking as URL, and acting only if the content (file) is not what expected or if the URL is going into unwanted direction (content filtering). With TLS now cache is almost useless but who knows.
Let me add one more thing.
Proxy can limit not only domains, hosts, but even applications, so…
app.company.co/email may be allowed and
app.company.co/chat may be not. Not the same thing is possible with DNS content filtering.