Zero Trust in the download path and quarantine-before-policy ordering (Chapter 7.2) are worth calling out as intentional security-in-depth: even a policy-compliant, correctly-keyed download attempt is ...