Imagine if in 2003 Microsoft added a domain-wide private key that automatically signed all macros saved in the domain.
And any files without that signature (like from an attacker) were automatically blocked by default.
This basically would have nuked the macro threat ecosystem.
Would only activate on domain-joined machines, you could trust other forests' public keys, legacy files would be prompted to be upgraded, and would only apply in temp directories like downloads and email attachments.
The point is not to be impenetrable. It's to kill defaults attackers can count on.
Something which can take awhile to understand is that cybersecurity does not require absolute perfection, it requires active ecosystem hostility at every layer.
@SwiftOnSecurity Biological security works this way too.
There's no one magic tool that the body uses to eliminate a pathogen. It's a defense-in-depth that amounts to "The space inside these walls *hates* you and wants you broken down into your constituent molecules, you *other*."
