And once you see them, you do what? Rollback reality?

I'm confused. Are you suggesting you should test with "real" data first?

I'm suggesting that monitoring an application for malicious behavior to detect it after the fact is the wrong approach. Once the data is sent, it's too late to do anything about it.

Oh you first try fake data? That's easy to counter. For example probabilisticly: the app tosses a coin and only sends the data with 50% chance the first time. Now half of people using your approach will think the app is safe and get their data stolen anyway. Or use some side channel, delay activity, ...