I don’t think the grandparent says that everyone is owned, but that if your data is interesting enough, your threat model must include employees that are willingly exhilarating data, sometimes for nation states. That your first barriers are therefore assumed to be breached to those attackers.
This of course does not apply if you are not holding on to anything interesting, but it’s very easy to become interesting at a certain size, or if you have interesting customers. Still, not everybody.
Your threat exposure is not just your network. It's all of your customers and all of your vendors as well.
Recall that the Target POS hack back in 2014 happened because someone hacked the largest refrigeration contractor in western Pennsylvania, then bounced from there onto the Target Partners Online portal with legitimate credentials, and then from there in unspecified ways got onto the POS system. Obviously going from TPO to POS is a failure of Target's network security, but their network perimeter was much larger than just Target computers.
My response was triggered by "If you have anything of value". I agree with "if your data is interesting enough". Because let's be honest, barely any company qualifies for nation state embedding a worker with them. If they do, they know. But everybody has something of value.
This of course does not apply if you are not holding on to anything interesting, but it’s very easy to become interesting at a certain size, or if you have interesting customers. Still, not everybody.