Re: 1. You can deploy additional security measures such as certificate pinning or a VPN tunnel to your CalDAV server if you have a high security requirement.
Re: 2. If your server is untrusted (because it's a remote virtual server) or hacked, e2e will not protect you.
1. That's exactly what I said, though you are just patching a broken system here, why not just use a system that's resilient to all of this in the first place like with end to end?
2. How so? EteSync for example has a git like integrity verification (just with HMAC instead of hash), so it's easy to check consistency across clients, and the server can't forge anything. The worst the server/MITM can do is stop syncing a specific client which would be easy to detect. A rogue server can't even omit specific changes, only stop sync. So I don't agree with your assertion.
Re: 2. If your server is untrusted (because it's a remote virtual server) or hacked, e2e will not protect you.