When it comes to the Advanced Threat Protection features, one thing really stood out to me. So when I heard it, I immediately thought of a funny television commercial I had seen.

In the commercial, bandits burst into a bank and command everyone to get down on the floor.  A uniformed man is standing there. Then one of the bank customers looks up from the floor and asks him if he's going to do anything.  The fellow in the uniform turns and says that he is not a security guard. This guy is a security monitor. Guess what? His job is to warn people when there is a robbery.  He looks around and does nothing! However, he does announce, "There's a robbery."  By default,  Advanced Threat Protection takes a similar approach.

Microsoft's philosophy here is that it warns the end user and then trusts them to make the right decision.

To balance productivity and security, the user has the ability to override the security warning and take the action anyway.  The idea is that if you warn someone that something is not right they'll make the right choice.  I suppose that if I were to rely on this strategy (and I am not sure I would want to) solid communication and an education process should be in place. Employees then know exactly what to expect.  This includes clearly defined and enforceable policies in place.  If you'd prefer that your security be more than a monitor you can configure the tool to prevent users from overriding the warning.

Social Security Numbers, Account Numbers, or Credit Card Number are automatically classified based on recognizable content.

You can track documents using Azure rights management. This is true even if the documents have left your organization. Metadata appended to documents are checked when someone tries to open them.  Similarly is the concept of a CRL check of a security certificate.  If the check does not identify that the user has the permission to open the file, their request for access to the document is denied.  The files can be tracked and access revoked right from the ribbon in Office.  As a way of keeping tabs on documents that have been shared with recipients outside of the company, this functionality looked really nice.

TLS encryption protects Microsoft 365 and Office 365 network communications as well as data at rest.

The BitLocker that we have all come to know is still an option, encrypting data at either 128 or 256-bit cipher strengths.  In addition, Service Encryption is available as an option. The application encrypts data as it writes it to the disk with Service Encryption.  This provides an additional protection against theft.  Admins or users with privileges are the only ones that can access data that is encrypted.  The user, however, can work with the data seamlessly, including usage of features like search and indexing.

A Microsoft 365 environment can be managed.

Other web-based tools are available as well.  For example, Microsoft Compliance Manager can help you monitor and correct regulatory compliance and security issues in your environment, providing a workflow for managing the people and processes involved in administering the associated tasks.  Another available tool is the Secure Score website will help you by helping you to analyze your environment and providing you with suggestions about your security, making you aware of changes that you can make and features (which you may not even be aware of) that you can leverage which can make your enterprise more secure.  I suggest you learn a little more about Secure Score.
If you decide to leave the Microsoft cloud infrastructure, you can purge your data from the cloud.