Well yes, assuming that:

1. you trust the hardware manufacturer
2. you can install your own keys (i.e. not locked by vendor)
3. you secure your bios with a secure password
4. you disable usb / network boot

With this you can make your laptop very tamper resistant. It will be basically impossible to tamper with the bootloader while the laptop is off. (e.g install keylogger to get disk-encryption password).

What they can do, is wipe the bios, which will remove your custom keys and will not boot your computer with secure boot enabled.

Something like a supply-side attack is still possible however. (e.g. tricking you into installing a malicious bootloader while the PC is booted)

Always use security in multiple layers, and to think about what you are securing yourself from.

And don’t just fork it on GitHub, if the original repo gets deleted, any forks might too.

Also do a git clone locally, or set up a mirror on another host.

Remember: militaries usually buy from the lowest bidder, so anything military-grade is probably low quality.

Also, email isn’t a great medium for communicating securely, since the other party has to be just as mindful about security as you; otherwise it’s basically security theater.

You could try [0-9] instead?

awk '/\/dev\/loop[0-9]/ {print}'

If you have a larger sample of input and desired output, people can help you better.

If you’re mapping a specific mouth sound to a specific character, why not use the IPA? That’s exactly what it is designed to do.

That way you don’t have to reinvent the wheel.

For a better introduction to the IPA, check this video.

The best thing is to use a different device, period.

Since the company is lord and master over the device, in theory, they can see anything you’re doing.
Maybe not decrypting wireguard traffic in practice, but still see that you’re doing non-official things on the device that are probably not allowed. They might think you’re a whistleblower or a corporate spy or something.

I have no idea where you work, but if they install a CA they’re probably have some kind of monitoring to see what programs are installed/running.

If the company CA is all you’re worried about, running a browser that uses its own CA list should be enough.