Stuff is so complex nowadays that there's a ton of vectors an employee can use to eventually access almost anything on production systems. Unless you kneecap their ability to reach anything at all. Even if say you use Vault for secrets, extensive ACLs, on-demand access, there's an almost infinite amount of ways to squeeze out data in ways it hasn't been anticipated. Kuberneters, containers, etc doesn't always help, often sometimes it makes things worse.
Defending against internal threat seems like a losing battle that can only be mitigated, slowing down more than preventing an attack.
Stopping employee from accessing anything and everything in production impacts productivity and engineer often do not want to work in that kind of environment.
Implementing a zero-trust architecture with a trust-score system for users and a dynamic policy for accessing resources can help to limit potential damage in the event of a security incident. But I agree that the balance between protecting against attacks and maintaining productivity can be delicate.
Defending against internal threat seems like a losing battle that can only be mitigated, slowing down more than preventing an attack.