Enterprise versions are tamper-protected.

Because the alternative is worse - no protection. Because we have everything in Intune we get the per device scan reports (I lied - we do enforce _some_ stuff as a group policy. We disable turning off certain features and we manage the windows update cadence) and thrrr have been multiple people who still need it… it’s generally non tech people who just download the absolute worst crap imaginable and ignore all the bypassable warnings too.