They are. The entire purpose of the zero trust push is that it is nearly impossible to completely prevent perimeter breaches, so instead design in such a way that an actor inside your perimeter is not automatically trusted.
You can almost entirely prevent perimeter breaches (from untrusted attacks) by implementing authenticate-before-connect with strong identity incl. closing all inbound ports at source and destination.