The nonce part of the CID is really a server endpoint identifier, isn't it?

It can be, in part, an identifier, but I don't think that's a useful way to think about it.

An individual server thread will have, from its perspective, a server ID that is totally unique. The connection IDs generated by that thread are unique only because they have different nonce inputs. It's possible, I suppose, for individual connections to be allocated part of the nonce space and use the decrypted connection ID (and nonce) to deliver it to the correct context. But that seems unlikely when the server thread could just maintain a Connection ID map.

From the load balancer's perspective, the server ID might be somewhat shorter (not encompassing any server ID bits related to threads, etc and irrelevant to the LB's routing decision). In this case, part of the nonce is indeed identifying these later parts of the routing hierarchy.

So in my conception of this, the decrypted nonce contains no usable information. Its only purpose is to ensure that each ciphertext is unique.

does that help?

Closing, assuming this response was satisfactory?