what GG said.
Think of it as a safety net, the last chance to prevent any undetected malware from phoning home. (Even that isn't guaranteed. Some malware installs/modifies a system file, so it looks like the system -previously allowed- is phoning home, and not all firewalls are necessarily able to detect the change. Most should.)
Prior to that situation occurring, you have defenses in place that should stop the vast majority of it. In theory.