You are right, the attack often starts from the inside; in fact, a firewall should also (or especially) be used to manage outbound connections. This helps to avoid both data leakage (simple pushing stuff to a remote host) and full remote control of the host, creating a tunnel.