As a neophyte, I failed to see them demonstrate injection. They seem to model what injection would mean, but not show how the threat actor got into the flow.

Probably for non neophytes who this is aimed at, that's a given.