Totally agree with you in every way except your last point. IIRC, the administrators of a Google Workspace domain have almost complete control of the accounts created under it. For example, they're able to make sure that each account comes with preset Chrome Web Store extensions or they can limit or completely disable your control over your account. So, unless the school board locked down the Chromebook itself, (which I don't think they can unless they actually own it) these restrictions and the spyware would've been automatically "installed" on OP's kid's account and shouldn't be active/installed when you're logged into a privately owned Google account. All in all, the way Chromebooks work is unconventional and sometimes very annoying.
If I recall, the language that's used in situations like these is something along the lines of "Personal electronic devices will be governed under this policy when such devices are attached to the CPS network." So .. it's a "as long as you're going to connect to the CPS controlled network / resources, you must have software protections / controls in place".
Except it sounds like the spyware is still installed even if they log in with their personal account? The isolation principle is violated. It's a huge security hole.
