> restrictive (no iCloud, Siri, Facetime, AirDrop ) MDM policy via Apple Configurator

MDM? That doesn't surprise me. Do you want to know how _utterly_ trivial MDM is to bypass on Apple Silicon? This is the way I've done it multiple times (and I suspect there are others):

Monterey USB installer (or Configurator + IPSW)

Begin installation.

At the point of the reboot mid-installation, remove Internet access, or, more specifically, make sure the Mac cannot DNS resolve: iprofiles.apple.com, mdmenrollment.apple.com, deviceenrollment.apple.com.

Continue installation and complete.

Add 0.0.0.0 entries for these three hostnames to /etc/hosts (or just keep the above "null routed" at your DNS server/router.

Tada. That's it. I wish there was more to it.

You can now upgrade your Mac all the way to Tahoe 26.3 without complaint, problem, or it ever phoning home. Everything works. iCloud. Find My. It seems that the MDM enrollment check is only ever done at one point during install and then forgotten about.

Caveat: I didn't experiment too much, but it seems that some newer versions of macOS require some internet access to complete installation, for this reason or others, but I didn't even bother to validate, since I had a repeatable and tested solution.