Agree, not a perfect term. You certainly make a good point and in fact the strongest zero trust approaches don't even let you on the network (even at layer 3) until after you are authorized.
yeah, agree, 'on the network' is a bad phrase. long form:
completely 'eliminate' the network by closing all inbound firewall ports (not even allowing dynamic hole punching), and then opening ephemeral, session-specific L3 outbound connects (from both sides* of the session) only for authorized sessions (strong auth - not IP-address based auth).
* requires intermediate 'gateways' which can bridge both sides to enable bidirectional data flow, initiated from either side
