you can as easily get attackers from within your own networks, you're falling for fallacy that everything on the 'inside' is secure.

Just because one group of attackers is (/might be) inside your network doesn't mean you also have to let all other groups in. There is zero reason to let (say) North Koreans interact with your gas pump API, other than that the internet is set up so that it is virtually impossible to prevent unfriendly parties from contacting your servers.