Disable Wi-Fi and LAN if user is not logged in
There isn't a great way to script this, but I would consider implementing this on the network side if you really had a great reason to not allow this. It will break many things that run, but let's assume you have some compelling reasons.
- Simplest is firewall rules on your router to isolate that machine. Only allow outbound connections to a VPN and log in to that VPN when you log in to an account that should be able to connect out.
The reason to do this on the network side is that the system is designed to take the WiFi credentials and expose them even before the OS boots in case of FileVault and T2 security chip. Same with Ethernet - the system wants to enable all of the interfaces so that a net boot or internet recovery is possible so rather than fighting the design, I would implement this entirely on the network end.
If you can't do DMZ / FireWall / VPN, the first thing I would try is making the network settings intentionally wrong. Choose a non-existent gateway on a non-routable address. For example if your actual router is 192.168.1.1 - set your Mac to be on the 172.16.0.1 or 10.3.2.1 networks. Yes they are connected, but the default route will be wrong and you can make sure the network drops those packets. Any software that has hard coded network addresses or can discover DNS / mDNS will still work, so that's why I recommended a proper network setup to disable the network for your Mac instead of scripting or hobbling things in the settings.