I need to control the flow of information based on its sensitivity label. Defender ATP + Microsoft Information Protection looks like the perfect tool, but all of the documentation I can find is oriented toward only two classifications: Work information and Personal information. I can't find anything that describes the fidelity allowed when utilizing sensitivity labels.

For example, if one SharePoint site is HR (sensitivity: HR/PII), and one is a Project XRay (sensitivity: General Business), I need to restrict both of those from going out to uncontrolled non-work environments, that looks easy. However, is it possible to also restrict HR/PII labeled information from accidently being leaked to the XRay site and every other site except ones that are approved to store that type of information?