I have made cases on this in the past and helped users in the forums.
Basically DLP in Sophos Central works great, as long as you can alter the location of the Secure Attachment Folder if Outlook. This is not too difficult but cannot be done in certain licensing levels of Office 365. More specifically any license that does not allow Group Policy management because Office 365 will simply change the registry setting back to its default when ever you attempt to attach a document to a new email. For example Business Premium, if you can use Group Policy management then great the change will stay.
None of the current KB's outline this licensing aspect and many users get confused when trying to set this up.
Different licensing levels of office 365 in the two links below.
The current KB also has no real mention of how to make the appropriate changes in the GPO, only that the ADMX files are needed, which does not help matters either.
There is also a good understanding of how to change the GPO settings here, although it is 2013 the same aspects will apply: https://www.sourceonetechnology.com/setting-the-default-file-location-for-attachments-in-microsoft-outlook/
I would request you to comment on that article so that I can follow up with the concerned team regarding this.