A different SKU for enterprise managed devices would cripple IT departments that don't pay the big bucks to e.g. verizon to manage their device provisioning & MDM enrollment.
Wut? I don’t follow? Anyway, once you are big enough to care about preventing bootloader unlocking on your company devices you are big enough to pay for that privilege.
You'd need two different SKUs for each different color and size to enable this in a more user-friendly way, where devices either enterprise locked or carrier locked get the one with a locked-by-default bootloader, and ones bought directly by the consumer have an unlocked bootloader. Realistically the latter group is so small it doesn't make sense to complicate the production and logistics process by having this separation. Instead, we get the current situation where the bootloader can be unlocked after initial setup check.
It would be much nicer if it defaulted to allowing unlocking through. You can boot up a DEP enrolled Mac and use it even if your internet connection doesn't work, including disabling SIP and the bootloader. Though your MDM attestation may fail if you then enroll it. That need to explain yourself to the IT department should be enough incentive to an employee to not unlock your work device bootloader.
Has it occurred to you that the feature you're defending allows Google to lock customers into their provisioning/MDM? That this is worse than Verizon controlling provisioning/MDM, because at least Verizon is subject to market competition (ie you can buy the device from other parties), whereas Google doing it means you have no choice whatsoever?
You're also grossly exaggerating things. We're not talking about a change that would prohibit management, just one that would not allow them to do zero-touch enrollment into their management systems.
