I also kind of assume any Chinese model has a deeply embedded behavior to flag data the MSS might find interesting and do some kind of innocuous exfil of that if it is allowed any Internet access.

It's worth remembering that a malicious model doesn't need Internet access to exfil - it merely needs to write code with subtle backdoors that will eventually run on a production system, and wait until its code is woken up by a system that will scan all known addresses and ports for the specific patterns introduced by the model's progeny. Which is not to say that this is happening in this case, or anything about which nation-state will be the first to attempt this - but we're only at the beginning of what's possible here.