When you make a request to a website you make a HTTP request to that site, or at least, you used to. In the modern era nearly everything is HTTPS by default and that S is for SSL. This means the actual web traffic effectively passes through an encrypted tunnel between your browser and the website itself, safe from prying eyes amongst other things. Now there's another question in how does your browser find out which webserver it needs to talk to, the answer is DNS, when you type in https://cmdshell.uk/ the bit at the front says its a web request, but the bit between the slashes is the DNS address of the server you want to talk to. So in this case you want to talk to cmdshell.uk which your browser sends off a DNS lookup to request the IP registered to that name, and lets say 10.10.10.10 returns, then your browser can send a HTTPS request to 10.10.10.10 to get what you need.
Pretty standard stuff really, but why is this relevant? DNS stands for Domain Name Service, there's no SSL in there, its an old protocol that works in an old way, but its mostly ignored because it's pretty simple. There are systems like DNSsec and DNScrypt designed to add such layers of encryption to this protocol, however most people don't use them, and even if you do both ends need to have it enabled to work. Okay so maybe you've found a service that does, but only requests to that service are encrypted, at some point you will have to query what are known as the "root servers" the ones that handle things like .uk .com .org, I know from experience these do not have these services enabled meaning even with the best of intentions some of your DNS is going to have to be handled in plaintext, either by you or one of the recursive resolvers you wil be using.
Okay so that's the technical details out of the way, what does all this mean? ISPs the world over tend to spy on their users, this isn't a theory, its a known fact. It's mostly benign, they're more interested in providing good service, sometimes the government requires is, but the point is they're watching for better or worse. Anything that is encrypted is difficult (though not impossible) to spy on, it creates a layer of protection by enforcing a large amount of work to achieve that unless there is a significant threat posed specifically by you they are unlikely to act on. So they can't view your web traffic, but they do watch your DNS.
Now here where that becomes important. If I drop a link on my page to https://subdomain.cmdshell.uk/ and you click on it, the domain has changed so your browser will perform a DNS lookup. If however the link is https://cmdshell.uk/subdirectory the domain is the same even though it loads a different site. The sub-directory is part of the HTTPS request and does not need a change in DNS so unless they search the web traffic too anyone spying on the link will not see the page change. Okay, so not terribly groundbreaking as it just access a different folder on the server, but that's where reverse proxies enter. A reverse proxy on the webserver can be told to pull the response for https://subdomain.cmdshell.uk/ and send it when https://cmdshell.uk/subdirectory is requested. Using this method you can access the sub-domain while leaving anyone watching your traffic none the wiser, the only real difficulty is you have to control the web server to be able to do it.