Afaik, Istio only encrypts the traffic between 2 envoy sidecars.
The traffic towards the local sidecar is captured by iptables rules, and then forwarded to the sidecar instead of its destination. So that part, Istio has no control over. Then the traffic from the Istio sidecar towards the service, uses the service’s transport protocol (for example http), Istio can’t encrypt that, as there’s nothing on the other side to decrypt it (as it just left the sidecar). Unless of course, your workload uses an encrypted transport (https for example).
So it would be impossible to encrypt traffic between 2 services on a single pod, as there’s no two sidecars in between. It enters and exists from the same sidecar.
As for a way around that, I think there is none. If you can’t trust your pod’s local network, then you can use networking at all. As you would always have to use that network to get to your sidecar.
You’d have to use in-memory transports, like IPC or something.
To be clear, your service’s network chatter will never leave the pod, as in, it’s captured by iptables before it does.