After reading About the ZPA Cloud Architecture | Zscaler I think that the Zscaler App connector acts as a SSL client to the real application and this is why the Zscaler services actually are able to see the decrypted traffic if I am not wrong. Maybe in this way the Zscaler service supports the new WAF like Inspection feature ““Web Application Security”” Zscaler Private Access Inspection | Web Application Security - YouTube , so if the ZPA sees the decrypted application traffic it should be able to do DLP?
Also for the new Web Application Firewall feature that is the ‘’'‘Web Application Security"’ can you write custom signatures/rules or to be able to turn off a rule/sugnature that triggers a false postive just for the affected user-agen, source ip address, URL, hostname? Basically I am asking what granual control you have on the rules/signatures (just enable, disable or something more)?
Maybe the DLP is on the Zscaler road map.