For the user it's simple. Instead of adding an ICANN domain for a relay or mint, they just add a blockchain domain. So I go to Jumble, I add a relay, instead of adding wss://nos.lol I add hns://nos.haha (if say it's a .haha domain on the handshake blockchain). If that's my only relay then I'm off ICANN for relays, as an individual user anyway. I (as the user) will at some point have had to have added a "resolver service" to Jumble so that Jumble can know where to go to get what it needs to make a secure connection to nos.haha for when I query it. I will have entered my chosen blockchain domain resolver service (one or more) in some special field(s), same as if entering blossom mirrors or whatever. To allow me to be able to add hns://nos.haha in the first place, Jumble would have update a lot of logic (versus now). And each time I refresh the connection Jumble also has to do the back and forth with the TEE. A client like Jumble or Damus can't resolve blockchain domains on its own (especially if on a mobile device) so it has to outsource that to the resolver service. And the resolver service has to be transparent so that you don't get MITM attacks. Thus the TEE on the Nitro enclave or wherever.

HNS is a joke. It's not possible to generate SSL certificates for HNS domains and HTTPS:// protocol is not available for their TLDs. You also can't resolve them with a regular browser.