The biggest problem in "default deny egress" is CDNs. It's a colossal waste of time to set up firewall access lists for your build agents, but even for your production environments - as soon as you have one external API that is hosted behind Cloudflare, Anypoint, Cloudfront, Akamai or one of the hundred other similar services, you may as well give up. Simply because it's extremely annoying to keep up tabs with changing IP addresses.