MacOS does not have the same containerization that iOS/iPadOS has. The main difference between BYOD and Org Owned for macOS is what MDM commands you can use, and what Configuration Profile payloads will function. Anything run by a MDM like Jamf, or a Security Tool like Jamf Protect is run as root and can see everything on a Mac.

TL;DR you don't BYOD macOS.

Thanks for your response. The Jamf Trust activation profile that is deployed to BYO devices are entirely different from MDM managed deployments that offer the additional controls of Jamf Protect with the ZTNA functionality of Jamf Security that you are making mention of.

You may be conflating the two but what I'm referring to is the Jamf Trust functionality with ZTNA and VPN specifically and its behaviour on a BYO activation profile (not MDM configuration profile) only relating to iOS and Android.

The Jamf Trust app's behaviour on iOS and Android is recording ALL traffic of BYO even though the additional Jamf Protect related (not Jamf Security/ZTNA) network diagnostic addon is disabled in the BYO activation profile.

In a general sense the above logic is unacceptable in every scenario one could conceive of it would make logical sense that only tunnelled data should get reported but not data that does not match the criteria of the policy based routing configurations done in the Jamf Security portal within a demilitarized context like the BYO activation profile.