Strict mtls default with opt out for specific services

I can see an example for setting permissive peer authentication for a namespace and opting in a workload to use strict mtls, but does the inverse work?

My initial test didn’t work so I’m curious if I’m doing anything wrong.

Can confirm that it does work correctly as documented. There was a proxy call I didn’t expect which was being rejected.