If your malicious script starts doing things like running well known payloads or trying to move laterally or access things it really shouldn't be trying to access AV will flag/block it.
No one is suggesting it is 100% coverage but you would be suprised at the ammount of things XDR detects and prevents in a average organization with average users. Including the people who can't stop clicking YourGiftcard.pdf.exe
I am not against trying to protect against people who do that. The problem is that you pay XDR big bucks to stop a lot more than that, and this mostly doesn't work.
