DMZ is just the illusion of safety, just like containers or VMs. Whoever hacked his webserver could just as easily hack the router and from there access the local network.

Also a simple macadress spoof would be enough to enter the non-dmz network.