Call me old school, but you can already defeat the majority of modern malware by just putting your infrastructure behind a whitelist proxy and a firewall that filters **all** traffic.
This doesn't mean you shouldn't do more, but if you currently have unfiltered egress in your "zero trust infrastructure", you got something fundamentally wrong.
Expanding on this, by a large part, this also mitigates the whole log4j attack. The attack isn't proxy aware and would just end up in your firewall.
This is my personal microblog. It's filled with my fun, joy and silliness.