best response confirmed by adam deltinger (MVP)
Solution
Hmmm, afaik it does: see here: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-wo... and section restrict access to content. AFAIK, the other user it has been shared with cannot access it.

In terms of downloading, well, you would probably look to use app protection policies using Intune in order to block downloads on non managed devices

https://docs.microsoft.com/en-gb/mem/intune/protect/data-leak-prevention

Or you could look to apply sensitivity labels, for example on Teams to require the device to be managed

https://microsoft365pro.co.uk/2019/12/10/teams-real-simple-with-pictures-using-sensitivity-labels-to...

If you were taking a zero trust policy no device accessing the corporate access or applications would be non-managed.

Best, Chris