Not the device, the student district-managed account that is logging into the device. Districts are bound by law (varying from state to state) at a basic level to filter content and restrict access in the broadest sense, on or off the district network. I've worked in multiple states for various districts they all had similar compliance requirements.
I don't see how the mere fact of someone being logged into a school account could create such a requirement. If I log into the school account from a normal desktop computer, I don't believe that the school even has the ability to restrict what webpages can subsequently be accessed. Is the school then failing to meet its responsibilities? If not, then how could they be required to enforce this on a chromebook that they do not own?
We run Chromebooks. I'm logged into one right now, on my personal account. There is no way for me, the GSuite admin of my company, to fuck with that personal account.
I can't read anything from it, I can't manage it in any way, I can do nothing. Some things in the personal account aren't accessible (you can only have one account on Chromebooks with a Linux VM), that's it.
If a kid or parent can log in from offsite, it is not technically possible to force all browsers or systems to monitor and restrict activity. I can log in through Firefox (or curl, for that matter) and not have my activity sent to the school.
Also, there is absolutely no legal way the school could force the monitoring of activity from an offsite computer (unless it were school-owned), even if it were technically possible. To secretly and silently install spyware on a parent's computer when the parent logs into the child's account would violate so many laws and constitutional protections I can't even list them.
