We have not yet moved to instant clones but I have been doing some research before to make sure we are ok to migrate.
Currently we have linked clones, use Drive File Stream and have the beta feature to limit access to company owned devices as that seems to be the only way to limit it from being accessed from other machines that we do not trust. However the way they do this is import serial numbers in via the Google Workspace Admin panel. I can't be going in and adding serial numbers, daily, hourly when new VMs are spun up for users .
I would be interested to know how your experience has been so far with or without turning on this beta feature.