The only way to make this sort of idea work reliably is a managed learning approach that creates a whitelist of known-good network traffic patterns, and then only permits those.
A prescriptive signature-based black list, as you point out, is easily fooled with simple obscurity.
Rather, controlling what information software can get it's hands on (focusing on the input rather than output) seems to the only way out? This is what app permissions on phones and applet sandboxing, chroot jails & containers, etc; try to do.
An additional twist that seems daunting (but interesting) is to mark sensitive data at EVERY step in it's processing, with support from the OS and hardware, and never let out tainted data out without explicit permission. See Perl's tainted variables for the gist of the inspiration.
So if a = "User's name", which is protected data, and you do b = a, then b is tainted, too, and write(socket_fd, *b) would pop-up an alert.
All old hat, I bet, to security researchers. I'm just thinking out aloud.
A prescriptive signature-based black list, as you point out, is easily fooled with simple obscurity.