Network-layer enforcement is right. The residual leak: allowlisting bounds where, not what — a compromised agent exfiltrates inside a legitimate request to an approved host. Covert channels move up to content.