End users are in no way implicitly trustworthy. When a user tries to accessibility a resource, they have to be authenticated and approved, regardless of whether they're already on the company network. Authenticated users are granted least-privilege access only, and their permissions are revoked once their job is completed. https://www.researchgate.net/publication/365308473_Development_of_Cyber_Attack_Model_for_Private_Network