Couldn't an attacker exfiltrate over ssh or over an incoming HTTP connection instead of an outgoing? Or is this a defense-in-depth thing, not meant as a "hard stop"?
I see this as a defense in depth. It can buy you time until attacker figures out how to exfiltrate and you maybe notice via monitoring that something fishy is happening. It also prevents you participating in a DoS or other attacks.