mTLS secures the transport; a perfectly encrypted malicious payload still exploits the app — input validation stays your job. Sniffing, impersonation and man-in-the-middle are precisely what mTLS's encryption and mutual identity defeat.
Official docs