Sign in to the Google Admin console: Use an account with super administrator privileges.
Navigate to Mobile and endpoint management: Go to Devices > Mobile and endpoints > Settings > iOS settings.
Data sharing settings:
In the iOS settings, go to "Data Sharing."
Under "Data Protection," clear the checkbox for "Allow users to copy data to personal apps." This ensures that data cannot be copied from managed Google apps to unmanaged personal apps.
Enable Advanced Mobile Management:
Navigate to Devices > Mobile and endpoint management.
Turn on "Advanced Mobile Management" to enforce the data protection policies on iOS devices.
Reference:
Google Workspace Admin Help - Manage iOS settings
Google Workspace Admin Help - Advanced mobile device management

In order to maintain the former employee's data, their license should switch to Archive User. Their account should be disable so as to prevent further leaks. The next step is the creation of a matter in Google Vault for further investigation of the leaked data.

To manage end-user iOS devices, you need to configure an Apple Push Certificate, which allows Google to communicate with your devices and enforce security policies1. The certificate expires annually, so you need to renew it before it expires1. You should use a work address that can be accessed in the future, because you will receive email notifications from Apple when the certificate is about to expire1. The other options are incorrect because:
There is no option to "enforce management on iOS devices" under "company owned devices" in the Admin console2.
You cannot select "certificate never expires" when configuring an Apple Push Certificate. The certificate always expires after one year1.
There is no option to enable the Apple Push Certificate connector in the Admin console. You need to download the public key from Google and upload it to Apple Business Manager or Apple School Manager2.

Using Google Vault to create a matter specific to the M&A deal allows for legal, secure, and privacy-compliant retrieval of emails. You can search for the specific emails related to the merger and acquisition, export them, and share them with the legal department without granting direct access to the employee's mailbox. This approach ensures both data privacy and compliance with organizational policies.

Inbound Gateway Configuration:
An inbound mail gateway ensures that all incoming emails are routed through specified servers.
Configuring the inbound gateway to recognize your Exchange server IP addresses prevents internal emails from being marked as spam.
Steps to Configure:
Go to the Google Admin console.
Navigate to Apps > Google Workspace > Gmail > Advanced settings.
Scroll to the "Spam, Phishing, and Malware" section.
Configure the "Inbound Gateway" settings:
Add your Exchange server IP addresses.
Ensure these addresses are listed as trusted sources.
Reference
Google Workspace Admin Help: Configure Inbound Mail Gateway