I agree! In concept, implementing DEFPROT is a straightforward process: you place some discovery permissions in the ALL record, activate DEFPROT in the RDT, track access for a while, then assess the usage and place permissions based on observed access and deploy permissions (outside of the ALL record) to accommodate that access. The goal is that eventually all access is being granted via your newly-deployed permissions, and then eventually you can revoke the discovery permission from the ALL record as the final step where then you would truly have the DEFPROT in place.
But many factors can turn it into a very complex endeavor. Things like:
I have a more detailed demonstration of this process that includes solutions to the above items described, and I would be glad to show you – or anyone else who may be interested – via a zoom meeting or any online meeting tool of your choice.