On an isolated network, even the compromise of a low level user/service account of a device/VM/container on that network gives you keys to the kingdom. A layered approach slows down or brings the penetration to a halt allowing time for detection and remediation.

In practice, people using AWS, GCP, Digital Ocean, etc. have options for setting more detailed network ACLs. Kubernetes implements a primitive called Network Policies that can also implement network ACLs, if you are running that.

In my opinion network ACLs are a pretty important part of a modern defense in depth, though you are absolutely right in that these measures are far from a panacea and usually only slow down horizontal movement.