With ambient, making an allow-nothing policy is not so straightforward:
if a workload has no waypoint, then a global allow-nothing L4 policy works
if a workload has a waypoint, then we need both allow-nothing L4 and L7 policies. afaict there is no global L7 allow-nothing equivalent (asked about it here), so we also need a specific L7 allow-nothing for every workload (including any non-charmed workloads)
Enhancement Proposal
To enhance security within a charmed istio service mesh, we should add hardening configurations that can globally enforce:
It might make sense to expose these as two separate configurations (so someone can require mTLS but not AuthorizationPolicies).
As part of this task, we should also investigate if there's any other hardening that should be done.