Does your company have a serious IT department that manage devices?
If yes, then you’ll need to do whatever they say, and be ready to be told that’s not happening.
If not, I’d suggest a stable distro, encrypt the disk, and use flatpak/nix to install fresh packages. Fedora could work, but I’ve had bad luck with it, and wouldn’t want to risk my device crapping out because of an update.
The rest is really going to depend on your work and your it department.