That’s definitely part of the solution to limit the risk, but it does not eliminate it. That’s exactly something the tool demonstrates very well. If you can exploit , you can gently ask OIDC to mint you access on the fly. That’s what I call “dwell mode” where you hang for say 1 minute and you perform arbitrary thing with the OIDC access. So yes with short lived creds there’s no “offline access” and if leaves more traces but still.