Good point. I would also like as an argument that the hybrid approach should be seen as having multiple lines of defense. A corporate network should have an outer boundary that is hard-ish to penetrate. Personal devices should either require approval or use some kind of vpn to access any part of this network. Inside, the network should be divided into subnets with their own border protections, in case an attacker penetrates the outer shell/userland. For all subnets, zero-trust should be implemented when possible, even for communication within a subnet. Finally, monitoring should be in place to listen for unusual activity, whether that is unusual or suspicious traffic, unexpected changes in configurations of nodes on the network, etc.