> Yes they could have accessed logs before but there’s a difference between directed checking after incidents and active surveillance at scale.

Not really from the perspective of my own risk/reward calculation. I don't know in advance what's going to be considered an "incident" that will make corporate IT suddenly want to search my work computer. Better to simply have a policy of never using a computer my work controls for personal data, especially when I already have my own computers for that that I use regardless of what job I happen to be working at.