It isn’t. You will have to speak with the IT staff to understand how they have it configured. If you have an issue with this use a third party open source client.
The point is, any enterprise client is expected to have these features. Don’t install them on your personal laptop if you have a problem with what is expected behavior.
Let's lay this out. Let's say you are a government IT shop (it doesn't matter what level, state, nation whatever), or a bank, or a hospital, you are required by law to control how data is processed on your network. Therefore you must monitor compliance for devices connecting to your network. This is what GlobalProtect was designed for. It can be used in less restrictive environments, but the IT shop should make sure to audit the rules and policies of the client to not be overly burdensome on users. Palo Alto has numerous courses to train IT professionals to configure their products. It is on the IT professionals to configure the services correctly.
Right, Global Protect is great in regulated environments. You can turn on its always on functionality and devices can then be used while connected to VPN or not at all. If that setting is configured in an environment where users are connecting their personal devices, it's misconfigured, pure and simple.
The point is, any enterprise client is expected to have these features. Don’t install them on your personal laptop if you have a problem with what is expected behavior.