I'm not sure I understand the question?
To respond to your statements, it comes down to where sensitive data is stored on your network and within your organization. Where it lives yes, but currently there are not viable (to my knowledge, correct me please if I'm wrong) agents for non-windows systems. For example, many systems, developers, servers, run in non-windows systems or through various data-bases, storage types, etc. Additionally some organizations are not able to put in a NAC to prevent non-sanctioned pc's without appropriate security controls to be installed from accessing the network.
While yes, in a perfect world, we'd have detection in every place the data is.... that would be so awesome.
Also, network DLP can easily cover the encryption portion. You just install certificates and run ICAP to an HTTP/S prevent system (like McAfee NDLP or Vontu or Websense) and deny/drop/alert on traffic matching the policy. Your firewall then blocks any encrypted traffic to unsanctioned network locations which are not meeting the decryption requirements/etc.
There is always a way to try and bypass, but thats true with any security solution. Look further and you'll see there is a way to address every method you mentioned for bypassing, so it can be at the very least alerted/tracked, if not blocked. The biggest obstacle is time and money. Businesses love setting those aside