IANAL;

In the Lenovo case, probably not. But in the case of an employer-provided system and network intended for business purposes which performs SSL interception for security and data leak prevention? I think it can clearly be considered reasonable for the company to do that, and the user's expectation of privacy is significantly different. I do feel it's important that Acceptable Use Policies, Employee handbooks, etc. disclose the activity though.

Definitely, but no way Lenovo can even get close to the same sort of justification. It's reasonable that my workplace monitor and manage how their network bandwidth is being used. It's not reasonable that Lenovo gets to spy on my specifically encrypted traffic just because I bought a computer from them for personal use.

In this case, Lenovo hardly is spying or even interested. The bad thing is they are

a) selling capability to advertise to you, without your real consent, and

b) when the do it, the implementation is so horribly broken that it exposes end users to be exploited by just about anyone.

I see little malice, I see a lot of incompetence and outright, unforgivable stupidity. This opens door to the malice of others.