Comment by fock

and then most of the places I know happily allow employees admin access for "just that piece of software they need" and simultaneously push for "zero-trust". There's no point in it at all and you can just as well use saltstack to rollout apparmor-policies on your locked-down linux (and suddenly the same people wanting GPOs tell you that linux is untenable because of usage restrictions)