Prevent outbound packet sniffing

Our security team is evaluating our Istio implementation and stumbled across the plaintext communication between sidecars in a pod. While the mTLS between proxies is sufficient once the traffic leaves the pod, they are curious about the TCP plaintext communication over the lo interface. We are able to satisfy their concern on inbound traffic by connecting the sidecars using a unix socket, however the only way that we think we can do the same for outbound is by maintaining our own certificates and letting envoy wrap TLS with mTLS. The downsides of this are obvious (cert/CA management, application code needs to listen on SSL, etc).

Curious if there are any other thoughts on this?