Explained at length below: after subjective indicator of possible breach, by monitoring, allowlisting and then deleting outbound network traffic sources (i.e. apps) on the device, then look closely at any remaining, non-allowlisted traffic, which should be zero.

apps: https://news.ycombinator.com/item?id=46993016 | https://news.ycombinator.com/item?id=46997970

Apple: https://news.ycombinator.com/item?id=46994394