The big difference is between this and the OP, though, is that my company owns these laptops.
Yeah... and you and YOUR COMPANY (rather) potentially get to share liability with your service provider, in the event that your CA's private key facilitates the commission of fraud or some other crime against the user, for example, if the zScaler CA or zScaler's infrastructure is used to steal banking information or PII from someone using one of these laptops; the person can sue your company and/or Information Technology professionals responsible for the intercept or misappropriation of information.
For what it's worth though.... the user could also sue if there was a keylogger installed on it by your company that lead to to damages against them, or possibly if there was malware -- that the owner of a laptop had a duty to prevent or detect.
It doesn't matter that your company owns the laptop. Legally you can surveil the activity of the laptop, BUT there is a duty of care that comes with you and your company's choice to do so and legal owernship of the laptop.
So your company best be darned 100% certain that zScaler passes all due dilligence for protection of crypto secured information.
Well, actually, no, since the devices are provisioned for work use. If your bank or passport details are stolen because you used your WORK laptop on the WORK network to access those PERSONAL sites, that's on you. The company only has a duty of care to protect information they know thy have.