We had something similar where anything outside "normal" generated a ticket. It was disabled after 1 week because the support teams where getting more then 5000+ tickets each day. And this was after filtering etc....

Now this does not make it impossible, just very complex. In a more "controlled" environment such as a naval ship, i could see this actually working better, especially if the system is supposed to talk to very few external systems.

It does. I've deployed systems that would not only notify staff when novel packets were observed but immediately isolate anomalous hardware through a combination of powerdown and network fabric reconfiguration.

The amount of false positives a system like that would generate would rapidly render such a system entirely unusable.

Not in a secure environment... where you are supposed to control the hardware, the software, and the network absolutely.

The only way to create such an environment is to totally disconnect it from the outside world -- I'm talking even power source, phones, internet, all of it has to be disconnected or else I can exfil data all day long and nobody would ever know.

Yes, but eventually you have to get something done.

Security engineering is about tolerable failure modes. - Dan Geer (2014)

Intrusion detection involves connections coming from the outside. These attacks originate inside the network, from the compromised equipment.

Except on extremely controlled networks, this would be very hard to detect. It gets even worse when you consider that the Chinese had/have a distributed network of compromised machines. Imagine using a Google edge server as a dead drop...

An IDS is perfectly capable of flagging outgoing or internal traffic.

There's a big difference between "using an IDS" and "a few unintended/unexpected packets are noticed and properly followed up on".