I have hourly snapshots of everything important on that machine and I can go back through the network flow logs, which are not on that device, to see if anything was exfiltrated long after the fact.

It's not like I'm running it where it could cause mayhem. If I ever run it on the PCI-DSS infra, please feel free to terminate my existence because I've lost the plot.