Use of allowlists is not enough
Security should be multilayered, and use of allowlists is appropriate as one of the security levels.