I agree, but a lot of companies risk exactly that by creating policies that people are likely to have reasons to want to bypass.

E.g. Calendar sharing. It's a paintpoint if you often have irregular working hours and have to match up a personal and work calendar. At least allow sharing busy/not busy... By not doing so, you create an environment where people are tempted to find workarounds that might be much worse.

Part of your security posture needs to be to consider how to prevent friction in areas where reducing it removes incentives for non-compliance.