Let's lay this out. Let's say you are a government IT shop (it doesn't matter what level, state, nation whatever), or a bank, or a hospital, you are required by law to control how data is processed on your network. Therefore you must monitor compliance for devices connecting to your network. This is what GlobalProtect was designed for. It can be used in less restrictive environments, but the IT shop should make sure to audit the rules and policies of the client to not be overly burdensome on users. Palo Alto has numerous courses to train IT professionals to configure their products. It is on the IT professionals to configure the services correctly.
Right, Global Protect is great in regulated environments. You can turn on its always on functionality and devices can then be used while connected to VPN or not at all. If that setting is configured in an environment where users are connecting their personal devices, it's misconfigured, pure and simple.
By the people who pay Palo Alto Networks.