@Christopher Hoard I don't see the ability to convert a standard channel to a private channel. Is there a option to do this in powershell? Or does Microsoft have this on there roadmap to have that ability?

I will have to investigate sensitivity labels.

Adding Azure Information Protection labels on documents in the Sharepoint library seems like a daunting task.

@Christopher Hoard Chris, in regards to building a separate Sharepoint site with specific permissions, then adding that Sharepoint site as a tab in Teams. Does guest access need to be turned on in the Teams Admin center for the guest to access that tab in Teams?  In other words, with external access only turned on, will a guest be able to access that tab in Teams?

@Christopher Hoard Thank you for all your help with answering my questions so far. For us at this time, it seems to make the most sense to just invite the guest separately in the Sharepoint site. We can leave Teams Org Wide external access on so that the client/external user can still be invited to the Team to be able to chat/call and @ mention the external user when chatting in Teams, correct? 

@MagicMarker in addition on the good options from @Christopher Hoard you can also take a look at Conditional access (Depends if it is included in your license). It will block access to sharepoint completely, so the “Files” tab in teams will not work. Not sure if this is an option as adding a guest to a team is because of the collaboration ;) 

With this you can exclude machines from SharePoint when they are not domain joined and/or managed by the tenant (Intune).

Reference: https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices