Zero Trust pricniples may implie having a flat underlay but explicitly access to applications and services should be microsegmented, least privilege, and authenticate/authorised on strong identity before any connectivity can be established - i.e., the overlay is closed by default and does not trust the underlay. Ideally you put ZT inside an application so you do not need to have any inbound ports, public DNS, etc etc.
that's right, except for all traffic is TLS encrypted, all authN/Z is at least two-factor, all services are least privilege/white-list, even intercepting traffic/session keys/or even user/pass credentials wont give you anything important