Zero trust is when every session with every service is like its own VPN, independently authenticated and encrypted. Consider the way an HTTPS session between a server and a browser is created anew every time the browser accesses a domain, and ends after a short flurry of requests needed to load a page.
There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization
