Hi, it's quite a bit late - however, I wondered why you start protecting at the end of the involved components following the route from storage to Client-Application?
Eg. Word uses local persistence, mean a client download of the data from its backend eg. SharePoint Online. Why you should do it for all kind of documents? There are DLP settings for that on your M365 platform.
We started with sensitivity labelling to mark the content and observe how users applied labels. The next stage was add protection to most valuable content. Here we use custom / ad-hoc protection, mean the user has to specify who exactly should have access to the content. All that should be backed by a sound coorporate governance. If not available, I assume this should be the first project with your legal dept. or equivalent.
Regrads Max