In practice, people using AWS, GCP, Digital Ocean, etc. have options for setting more detailed network ACLs. Kubernetes implements a primitive called Network Policies that can also implement network ACLs, if you are running that.
In my opinion network ACLs are a pretty important part of a modern defense in depth, though you are absolutely right in that these measures are far from a panacea and usually only slow down horizontal movement.
In my opinion network ACLs are a pretty important part of a modern defense in depth, though you are absolutely right in that these measures are far from a panacea and usually only slow down horizontal movement.