> but I still think that restricting outbound requests is a good measure

It is 100% necessary, but doesn't stop most attacks quick enough.

If you're posting to github.com/acmecompany then attackers love to do things like add their own user github.com/acemcompany and just upload your data to that. Generally it doesn't last very long, but with CI/CD they can get thousands of keys in a minute and be gone seconds later.