Your work environment at home is under your control, and you have greater flexibility here if your living location is not dictated by having to travel daily to a workplace.
If you get a full remote position you can go live somewhere cheaper, so that for the same price you get a larger house and dedicate a room for work. Buy a decent comfortable chair that suits your body size and shape, a decent desk and a high quality monitor.

Most offices have standardised equipment and won't buy equipment that suits you, they might not even buy decent quality equipment. I've worked in many offices that bought the cheapest possible desks/chairs which were horribly uncomfortable and frequently broken. They also had the cheapest possible monitors which had a poor resolution, poor contrast and caused eyestrain. Typically also they skimp out on connectivity, so simple online operations are slower than necessary - and this is made worse if a lot of infra is moved to cloud instead of being on-prem at the same location.
Yes most offices suck, you can do a lot better at home.

Whoever set up that policy gets warm fuzzies by having it, rather than doing other things that could actually mitigate the risks should a single employee workstation (root or not) become compromised.

Actually if you have a standalone workstation that you setup and manage yourself this will often be significantly lower risk, as there will be no shared credentials on it that could be used for lateral movement. The typical AD model of shared authentication provides plenty of options for lateral movement, and there are many commonly deployed "security processes" that claim to be beneficial while actually providing additional lateral movement opportunities.

Several companies i audited ran nightly scans of every device that logged in remotely as a privileged user to do the scan. Once you compromised a single workstation you just had to wait for the nightly scan and steal its token, then you had access to pretty much everything.

If you're physically in the office then you can prove your arrival time based on the time you swipe through the entrance door.

And as for the rest, you underestimate how slow some machines can be. Corporate desktops tend to be the cheapest available hardware purchased in bulk, and then loaded up with lots of bloatware that slows it down. Those in IT tend to have more powerful hardware so they don't notice or care about the time consumed by other employees.
Plus the servers that people interact with during this time were probably idle overnight or performing some sort of backup/maintenance tasks, the software used when people log in will likely have been swapped out. When lots of users are all trying to log in at the same time it not only has to reload these swapped out processes, it also has to process a large number of logins simultaneously. But since this only happens once a day the overall load on the server isn't high when averaged over the whole day, so the server isnt considered underspecced or upgraded.

You get a lot of junk on most corporate laptops - AV, EDR, spyware, remote management, monitoring etc.
I had a personal laptop which was an identical model to the company supplied work laptop (in this case a macbook pro so no windows involved) and it booted noticeably quicker, although sleep is reliable on macs so most of us just put it to sleep instead of shutting down at the end of the day.

For others i see with windows laptops the problem tends to be even worse.

Unnecessary commuting is one of the biggest contributors to carbon emissions, and covid proved that with significant drops in co2 emissions when people were working from home.
There needs to be regulations to prevent employers from forcing unnecessary commuting, such as:

Right to work remotely unless it can be proven that your job absolutely requires presence in a specific location.
Make commuting time work time, requiring employees to be paid for it.
Tax employers based on the number of commuting hours across their employee base.
Require employers to offer relocation assistance for permanent employees who absolutely need to be in a specific location.
Flexible/staggered hours so employees can avoid peak travel times.

The one possible upside is that it could set a precedent, and prevent other companies from pulling the same crap in future.

Although it should be obvious, if you're carrying out tasks that your employer has instructed you to perform then you're working and should be paid for the time. If those processes are time consuming it's the employer's fault and their own time they're wasting. Once they can no longer pass the costs of that inefficiency onto employees they might actually do something about it.

They will make it worse because the driver at least has an incentive for his vehicle to be clean. A robot taxi doesn't care if the previous passenger vomited in the seat.

This. Get a type-C dock so you only have a single cable to plug in when you set the laptop down.
These docks typically come with multiple A/C ports, monitor connections, ethernet, power for the laptop, extra storage (automated backups whenever you're at your desk etc).

The USB stick can be wiped and reused for something else.
USB sticks, or SD cards etc are not very expensive.
The optical media might be cheaper, but the combination of media and drive is not, plus to get a good price on media you usually need to buy a spindle. Unless your regularly using optical media for other purposes, it's actually a lot more expensive for a one off installation.

That's exactly what any consumer router or firewall does by default.
Your ID suggests you might have been around long enough to remember when legacy IP was used in this way too - with proper routable address space on both sides of the firewall. That's exactly how a firewall is designed to work, NAT is just extra complexity that introduces new problems.

With routable space both sides it's easy to verify your firewall configuration works as intended.
With non routable space behind you're relying on the upstream not to pass packets to you with the non routable address as destination. Typically this won't happen because the ISP's router won't know to route traffic for that block via your router. But what if such traffic does arrive on the WAN port of your router?
Unless explicitly configured to drop it, most devices will dutifully route it inside.

You think this can't happen? It can. Many ISPs put their customers into a shared WAN subnet so the other customers are layer 2 adjacent and can absolutely send packets to your router with an internal destination address. Have you tested this scenario? Just one of the many ways complexity is added.

It's not "too complex", it works the same as legacy IP did just with a larger address space. You only think it's too complex because you've never bothered to learn about it properly.

In fact, once you add in all the kludges used to keep legacy ip limping along (nat, address overlaps, misuse of reserved or squatted address space, address recycling etc etc etc) then IPv6 is actually much simpler.

What ISP gives you a subnettable allocation of legacy ip for home use?

The standard for a v6 home allocation is /56 (see: https://www.ripe.net/publicati...) which lets you create 256 standard /64 subnets. If you get anything less you have a lousy ISP.

If you don't have any choice of ISP then legacy IP is one of the reasons - any new provider would be forced to pay a lot of money for legacy space, and pay a lot more to implement CGNAT while providing inferior service to customers.

If you don't have a subnettable allocation then you need to resort to kludges like NAT, which you're almost certainly doing for legacy traffic already. Yes v6 should be better, but even in a worst case it's not any worse.

Also a lot of users apply legacy thinking and assume the v6 allocation on the WAN interface is all you get. This is generally true for legacy IP because you're only given a single address on the WAN port and expected to NAT. With v6 you still get a single address on the WAN port but you're expected to use prefix delegation to get a separate subnet for use behind your router. Yes your router can actually be a router and not a glorified proxy with NAT.
Legacy IP actually works the same way, but typically only large businesses can afford enough address space to be able to route and subnet it properly.

CGNAT is far more widely used in developing countries, as noted in the article.
In developed countries there tend to be long established providers that got large early pools of legacy address space and don't need CGNAT.
New providers would be forced to use CGNAT, so this stifles competition and is one of the reasons many americans have no choice of provider.
A lot of the content providers and CDNs are based in these developed countries and still cling to this assumption because they have never had to experience the headaches of CGNAT themselves.

Piling on top more and more kludges and complexity is not the answer, that just makes the house of cards more expensive, complex and unstable. The answer is to use IPv6 and ditch legacy IP.

Over here the ISP is already dual stack, with CGNAT for legacy traffic. I have the "ipvfoo" browser extension and in 99% of cases if i see a captcha popup it's because the site doesn't publish AAAA records. Sites which are accessed over IPv6 almost never have that problem.
This is especially stupid when using a provider like cloudflare, because they provide v6 for free. And slashdot is especially guilty of this, not publishing the AAAA records despite using cloudflare.
This is another symptom of short sightedness - managed from a developed country where they use an incumbent ISP that's not using CGNAT so they don't see the problems others will be forced to deal with.

Legacy IP was an experimental military network that is now a hideous collection of kludges and duct tape.
IPv6 is the production ready version intended for a global public network.

HP had 2x class A after their acquisition of DEC, i'm not aware of anyone else having larger than that.

This is a totally broken setup, unless your applying legacy thinking to it and don't understand how it works. The /64 you get on the WAN interface is just for the router, and you typically need to use prefix delegation to get a second prefix (which should be a /56 for home use) that is then routed behind your router and entirely under your control.
Yes with v6 your router actually gets to be a router, not a glorified proxy with NAT.

Because of the shortage of legacy IP, any new or expanding provider has no option but to use CGNAT or charge a _LOT_ more for service.
People complain about a lack of competition - this is one of the reasons why.
In some countries there are no non-CGNAT consumer options. Even business plans are behind CGNAT unless you pay significantly more.

You should be using IPv6 for everything - that way you can ssh direct to multiple devices instead of having to use nonstandard ports or go through a jump server, and you will face far less brute force attacks against your ssh services because bots won't be able to find them in the large address space.
All mobile operators in the US support v6, so you will have access from everywhere. If you encounter a legacy network you can use something like cloudflare warp as a VPN, as well as complaining whenever you encounter such an outdated network.

Once everything uses v6 this problem simply goes away, but a lot of people aren't aware of it and don't bother to deploy it. User awareness needs to increase or things are just going to get worse.