You know, that makes sense for a corporate network. They have an extremely aggressive firewall on the academic campus, which is how it should be.

However, they have failed to provide isolated networks for the research labs which just need it for even downloading LLMs (they have banned huggingface!).

Moreover, a hostel is residential. They should provide either the option of getting an external connection (which I would happily do!) or provide a means of non-stupid internet which they aren't.

What’s the alternative—locking down all legitimate users and still losing the data anyway?

Network controls alone don’t stop exfiltration. HDMI/DP can move data faster than most consumer NICs. Does the system account for that scenario?

If your threat is state sponsored bad actors you've already failed. OK, great you blocked VPNs. Now they tunneled their vpn through as HTTPS. You successfully annoyed all your legit users and completely failed to stop the real problem.

Then you've failed in security infrastructure, policy, and enforcement, and you've infantilized your users and wasted a bunch of IT time on checking boxes. The real power move in that case would be ensuring some third party vendor checked the boxes for you, so that your ass gets sufficiently covered and you have a narrative that goes something like "well, we did everything you're supposed to, those pesky superhackers are just soooo devious and skilled that they can get anywhere!"

The actual fix for things like that is to ensure that your sensitive data is properly protected, and things that you don't want exfiltrated aren't put into scenarios where exfiltration is possible. If you need to compromise on security for practicality, then make those exceptions highly monitored with multiple people involved in custody and verification. Zero trust means you don't give any of your users or host devices any trust at all, and modern security software can require multiple party approvals and MFA.

You can use a phone to scan documents as you scroll through them, or mitm hardware devices that appear to be part of a cable, or all sorts of sneaky shenanigans, and it's a never-ending arms race, so you have to decide what level of convenience is worth what level of risk and make policies enforceable and auditable. In some cases that might mean SCIF level security with metal detectors and armed guards, in other cases it might mean ensuring a good password policy for zip files shared via email.

Inconveniencing users by limiting web access and doing the TSA style performative security thing is counterproductive. This doesn't mean you give them install rights, or you don't log web activity, or run endpoint malware scanning, or have advanced unusual activity monitoring on the network and so forth. It just means if Sally from accounting wants to go shopping for ugly christmas sweaters for staff on Etsy, she doesn't have to fill out forms in triplicate and wait 3 months while the IT department gets approvals and management has meetings and the third party security vendor does a policy review and assessment before signing off on it, or telling her no.