Pretty much all the endpoint solutions MITM exactly the same way as the middle box by running as a proxy listening on localhost. They also pretty much universally do an even worse job than the network middleboxes on handling invalid certs and supporting modern tls, hard as that may be to believe. Then you have the added nightmare of ensuring a client on tens or hundreds of thousands of enpoints is fully patched and functioning correctly.

Most of the solutions I have seen for devices outside the corporate perimeter are some combination of enforced vpn and authenticated proxy that is internet accessible.

Endpoint-based MITM solutions tend to be even worse for security, since they have a larger attack surface (and generally seem to be really badly implemented). On the plus side, some things can be done locally without MITM.

From a privacy perspective, it doesn't really matter if the monitoring happens centralized or not.

In the cases where I've seen strict filtering laptops were forced through VPN connections to HQ, where the gateway then decides what parts of internal and external networks they are allowed to access.