FYI, the US National Oceanic and Atmospheric Administration (NOAA) runs on GSuite/Google Workspace. Both PIV and WebAuthn are used for MFA. I've never seen anything there that wasn't simply unclassified, but for communications that need extra layers of encryption/DLP, they also have Kiteworks.
Nice they have DLP. Have they configured it to analyze or look for classification headers and are there teams that will reach out to violators and politely re-educate them?