ctsProfileMatch security implications

soundislate

I'm working on moving to Graphene on a Pixel 10 Pro, and have run into some issues while setting up a work profile. My company uses Google Workspace, and there's a policy enforcing that the device needs to pass a CTS profile match. (Disclaimer: I know that some the things I'm doing are less than privacy preserving, but I still want Graphene for my private profile, and I don't want a separate device for work.)
I managed to enroll the phone and set up the work profile, but only after my IT admin granted me two (temporary) exemptions: third party app stores (in order to allow Google Play Store to install apps) and CTS profile match. I understand and can try to argue for a permanent third party app store exemption, but don't have the full picture on CTS. I've read this, which explains some aspects from the stand point of an app developer, but what does the Workspace setting entail for an IT admin? What are the security implications for exempting me or turning the policy off for the whole organization? Are there other ways to manage this policy with Graphene?
If I can't figure out how to work around this policy, I'll have to either carry two devices or revert to stock OS, and I really dislike both options.

MetropleX

ctsProfileMatch simply means that the OS is Google certified, meaning that the OEM/OS has licensed Google Mobile Services to integrate Play Services as system level apps.

ctsProfileMatch is part of the old and now deprecated SafetyNet which has been superseded by Play Integrity API.

GrapheneOS is not and will not be certified by Google. Neither of safetynet nor Play Integrity are security features, they are market protection features. As we've commented elsewhere a device on 5 year old software and no longer receiving hardware, firmware/driver support with known vulnerabilities but yet have paid the protection racket licensing fee can still pass the aforementioned checks while our class leading security/privacy focused OS using only non end of life devices with not just the latest but in most cases future patches beyond standard OEM practices, can't/won't be allowed to pass it.

IT Admins may struggle to argue to remove it nor be inclined to as they'd be trying to explain the above to similar people who have already decided to partake in Googles anti-competitive practices by enabling and toggling Play Integrity on without an understanding of it and only willing to see how Google markets it. App Developers and IT Admins enabling it and leaving it also absolve themselves of one any responsibility and two culpability if anything goes wrong.