To be fair, [classic] ELB's do NOT need to decrypt traffic if you're really paranoid - you can load balance on TCP. Then it's only per-socket load balancing and you lose a lot of cloudwatch insights, but if you need truly end-to-end encryption, it's an option.

I think you can do the same with NLB's. ALB's, however, have to terminate the HTTP so no choice there.