I agree with your stance -- in a vast majority of corporate setting trying to enforce security with code tends to cause more problems than it solves. It alienates users and makes them skip sanity checks and use loopholes (whatever is allowed by the security must be OK to use). Informing users of the policy and providing tools for them to voluntarily check compliance when needed works much better.
> This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of.
This IMO is a lost battle. Once "Sent" gets pressed you should assume the message is out in the wild (any retention policies only complicate experience and can be ignored/countered by clients). If you want ephemeral communication, pick up the phone or talk face to face. My 2c.
> This also helps with email retention policies. Sometimes you want ephemeral communications you don't want a record of.
This IMO is a lost battle. Once "Sent" gets pressed you should assume the message is out in the wild (any retention policies only complicate experience and can be ignored/countered by clients). If you want ephemeral communication, pick up the phone or talk face to face. My 2c.