I asked if my personal data was stored in files downloaded to the laptop, they said yes.
When I asked why my data needed to be downloaded to the laptop and not limited to just online access they stopped responding.
This of course was the same company who mailed me my co-workers salary in spreadsheet form, twice because my name was similar to another manager.
Why that was necessary was beyond me too.
Even then, it’s unlikely that a security person would recommend compartmentalizing this particular data set. Any application that needs access to some of it probably needs access to all of it, and it makes little difference if you compromise a server and get one key or if you get 30 keys. The trust boundaries haven’t moved, so it would increase cost without really mitigating any threats.
Doesn’t excuse what happened, obviously