consumer EDR "could" detect it if everyone knew what to look for and the pricing was good. Unfortunately (or not) EDR for consumers is limited to really just the MS365 addon for Microsoft Defender for Endpoint (P2) which is $3 a month on top of your MS365 license (so looking at a good value if you already have an enterprise tenant even if solo). Downside: it's a firehose of information and is a full-time job managing for SMB. But to the other comment here: sandboxing / runtime isolation helps. It's more an onion than a strict wall. One failure shouldn't cause the city to collapse.