In a frictionless intellectual vacuum, it is true that you can create undetectable covert channels. Covert channels are a fundamental problem in systems security, and that's been well-known since Salzer-Schroeder.

In the real world, the arms race of encoding and detecting extends to the horizon of our understanding of computer science and, most importantly, software engineering. Nobody knows all the mistakes that humans will make attempting to engineer systems to do perfect cover channels. For the forseeable future, both sides of this problem need to come to grips with the fact that they're armed imperfectly.

However, in the data leak scenario, the incentives are lined up to favor the monitors and not the leakers. The monitors have budget, continuous practice, access to all company communications to derive norms, and roughly the same access to equipment as the leakers. Meanwhile, if the leakers are caught just once, they're liable for extreme civil and (in some cases) criminal penalties.