When there is a precise and legally defined boundary (i.e. ZDR means your data with Bedrock stays within the Amazon security and legal boundary), it becomes significantly more difficult to hide full data egress; without alarm bells being raised / mechanisms being accidentally discovered.

When you have a black box that sends the full stream to Anthropic, then everything (including what actually happens with the data) stays on the Anthropic side.

It's much harder to hide egress/exfil-at-scale completely; even if we assume NSA-level kernel rootkits, someone's still gonna notice "hey, why is this pipe saturated even though `nload` looks normal.

It's much easier to hide what you do with the full data when you have explanations for why you're doing egress/exfil.