There's one really tricky clause in there that I also missed on my first pass: "The term “covered transaction” includes ANY OTHER TRANSACTION, the STRUCTURE of which is designed or intended to evade or circumvent the application of this Act, subject to regulations prescribed by the Secretary."

That clause adds a vast amount under the blanket of "covered transactions." At the minimum this would include the usage or offering of VPNs, TOR, or any sort of technology or connection that might be able to circumvent the methods the government will try to use. The "or" in the bill's clause also seems quite meaningful, as it clarifies that offering a service which CAN circumvent the restrictions is just as illegal as offering a service INTENDED to do so.

Beyond that, this thing's a monster of obfuscation. To even begin reading it you need to remove 'weak' OR statements. For one simple example, from Section 3 all the Secretary needs to do to justify 'imposing mitigation measures' against something is to show that it poses an "undue" risk to the "safety of United States persons." The language about national security or critical infrastructure, which you mentioned from the same section, are irrelevant as they're both subsets of 'undue risk to the safety of United States persons.'