What I don't understand is how this differs from
plain old DSCP remapping that can happen for any
u-flow or aggregated flow on any incoming/outgoing
interface.
If you look at a tunnel as a virtual interface,
I don't think that IPsec needs to recommend much
of anything other than noting the traffic analysis
as a potential consideration when deciding how to
remark traffic.
IPsec is a security protocol, thus it is appropriate for it to
include explicit controls when security-relevant mapping takes place
relevant to a tunnel. By the way, it's not traffic analysis per se
that is the major concern. The concern is that a Trojan Horse
"behind" the IPsec implementation uses the TOS field to exfiltrate
data.