They can, but you will get a certificate error, because the ISP doesn't has a valid certificate for the domain.

Exactly. It will show up in any modern browser with a big red "This site is not safe!" type of message if that was to happen. This is one of the reasons Google (and others) so proactively protect the certificate infrastructure so meticulously, and run efforts like https://www.certificate-transparency.org/

Yes, and that is an argument for https with certificates...