Separate your system and user lists. Use home-manager for example for your user packages. I think separating those configs is the official recommendation.
As for the rest, I'm using nix on MX because of declarative package management. Screw going back to imperative and having to remember what packages to install. If it's something I use often it goes on a list, if I don't nix shell
comes to the rescue.
I'd rather mess around with dev envs for nix than distrobox.
Does your company have a serious IT department that manage devices?
If yes, then you'll need to do whatever they say, and be ready to be told that's not happening.
If not, I'd suggest a stable distro, encrypt the disk, and use flatpak/nix to install fresh packages. Fedora could work, but I've had bad luck with it, and wouldn't want to risk my device crapping out because of an update.
The rest is really going to depend on your work and your it department.