Basic TLS is sufficient to stop your employer from MITM'ing your personal email session as long as you control what certificates your machine trust.
Certificate pinning is what protects the main sites (who use pinning) from an advanced attacker or a rogue government who are able get a proper CA to issue fake certificates.
Basic TLS is sufficient to stop your employer from MITM'ing your personal email session as long as you control what certificates your machine trust.
Which, on almost any employer-issued device on a large corporate network today, you won't.
Personal stuff goes on personal devices with personal connectivity and uses personal accounts with personal security. Work stuff goes on work devices with work connectivity and uses work accounts with work security. Contaminating either with the other is just a recipe for bad things happening, often for both the employer and the employee.
By contrast, I'm typing on a work computer right now. We deploy no special certificates to attempt to MITM traffic, nor will we ever.
I'm using a Chromebook, which allows me to run multiple users at the same time, each with their own profiles. Each user has their own encryption keys for their hard drive. We have no corporate network, no VPN, and instead rely on attestation for authorization.
I prefer to use this device for personal use because I know how safe it is.
Yes, but on the kind of network we're talking about, you probably won't be able to make an outbound HTTPS connection at all if you're not going via the required security infrastructure with an appropriate corporate-issued cert.
Certificate pinning is what protects the main sites (who use pinning) from an advanced attacker or a rogue government who are able get a proper CA to issue fake certificates.