The tl;dr is that no, even with ACM support for NLBs it still requires the protocol to be

TLS

which messes up gRPC transmission.

Yes exactly; What I did after all is a CloudFormation Custom Resource which generates a Let'sEncrypt certificate, stores its fullchain in ACM and its private key in AWS Secrets Manager; which are pulled by the container at bootstrap. not ideal, but I couldn't find a better way

Yeah that’s what we ended up doing to. Ran into some weirdness around the letsencrypt certificate chain but it still worked well enough for a hackathon project