Satellite broadband services are critical infrastructures, bringing connectivity to the most remote regions of the globe. However, due to performance concerns, many geostationary satellite broadband services are unencrypted and vulnerable to long-range eavesdropping attacks. This paper delves into the underlying cause of these issues, presenting the case that the widespread use of Performance Enhancing Proxies (PEPs) for TCP optimization has created a security/performance trade-off. A review of previous mitigation proposals finds limited real-world adoption due to a variety of factors ranging from misaligned commercial incentives to the prevalence of unverified "black-box" encryption products. To address these shortcomings, we design and implement a fully open-source and encrypted-by-default PEP/VPN hybrid, called QPEP. Built around the QUIC standard, QPEP enables individuals to encrypt satellite traffic without ISP involvement. Additionally, we present an open and replicable Docker-based testbed for benchmarking QPEP, and other PEP applications, through simulation. These experiments show that QPEP enables satellite customers to encrypt their TCP traffic with up to 72% faster page load times (PLTs) compared to traditional VPN encryption. Even relative to other unencrypted PEPs, QPEP offers up to 54% faster PLTs while also protecting communications in transit. We briefly discuss how QPEP might leverage bespoke modifications to the QUIC protocol for further optimization. Ultimately, our experiments suggest that QPEP's hybrid architecture represents a promising new technique for bringing both security and performance to satellite broadband while avoiding costly alterations to status-quo networks.