Some of the FedRamp standards require a VPN and prohibit split tunneling (i.e. Spotify goes directly out to the internet and the VPN only exposes routes to internal company hosts).

AFAICT, most of them allow split tunnels for work VPN -- most work VPNs are set up to allow access to corporate resources, not block normal usage. Some places have very high security requirements.

I’ll assume that they’re VPN’ing into work and their IT doesn’t allow split tunneling. As a result, all traffic has to flow into the VPN concentrator as a bottleneck.

If the laptop is setup to route all traffic through the corporate VPN as many businesses do it doesn't just affect your home network.