eBPF vs sidecar proxies for mTLS in high-throughput clusters

We're running a 400+ pod cluster where Istio sidecars add 15-20ms latency per request under load. Two options on the table: (1) eBPF-based mTLS via Cilium (no sidecar, kernel-level), or (2) keep Istio but tune ambient mode to reduce the proxy hop count. Has anyone benchmarked eBPF mTLS against a tuned Istio ambient setup at >10k req/s? Specifically interested in: CPU overhead per connection, certificate rotation latency, and whether the observability gap (no sidecar intercept = less granular metrics) is actually a blocker in practice. Our baseline: GKE Autopilot, Istio 1.21, mesh-wide mTLS strict mode.