That’s why I focused on platform security. You can’t fully eliminate the possibility, but you can make it as hard as possible to pull off. TPM+dm-verity is to make it hard for the user to even look at how it works and prevent filesystem modifications that would give them root access to intercept the key loading mechanism.

The part where the laptop continuously check and refreshes the key is to address the second part about just turning off WiFi: make it so if you do that, you have N hours to break the system open before it reboots itself and you’ve lost access to the key for good. This can also depend on hardware-backed checks like TPM measurements and signature, to make sure the data key is only handed over to the expected environment.

It’s the same fundamental principles as Android and Play Integrity: use the security processor to attest the state of the device before the server agrees to send you stuff over. It’s been worked around via leaked keys mostly because Google is lenient for older devices, but the actual secure enclave hasn’t been broken yet.

The point is for the security to hold long enough the key’s gone before they can get it, and without the key the laptop is effectively wiped. That’s plenty for the overwhelming majority of “employee got fired and is pissed off and wants to retaliate”, and the best that can be done without going remote desktop/VDI.