And then a few of those users who you treated like adults who don't need surveillance make a private network among themselves and other nodes in Russia and China to exfiltrate the corporation's most sensitive intellectual property, serve as a bridge for state-sponsored bad actors to bypass your firewall, and tunnel command-and-control traffic through your "unrestricted" egress, and now your zero-trust philosophy has created a zero-accountability blind spot that your IR team discovers eighteen months later during a breach investigation.

What’s the alternative—locking down all legitimate users and still losing the data anyway?

Network controls alone don’t stop exfiltration. HDMI/DP can move data faster than most consumer NICs. Does the system account for that scenario?

If your threat is state sponsored bad actors you've already failed. OK, great you blocked VPNs. Now they tunneled their vpn through as HTTPS. You successfully annoyed all your legit users and completely failed to stop the real problem.