Yes. Default deny application firewalls are really powerful tool. It really can take the wind out of large classes of exploits. They can't phone home to exfil data or get follow up command.

It isn't something I'd recommend for everyone, because it is a lot of work and faffing around, but be extremely effective if you are willing to invest in managing it correctly.