It is true. The do surface level protections, but have nothing to really lock down a system. What do they provide that can restrict an attacker who managed to compromise a remote service that wasn't using pledge or unveil? On other OS's, you can set things like append only, limit files being readable by particular processes, whitelist paths or executables from where the system may execute, etc etc etc.