If that was not enough, I believe the CI runner is written in the Go programming language, which has a surprisingly decent abstraction of OS functionality in it's standard library. Imperfect as it may be, I suspect that helps reduce the amount of effort needed to ensure individual platforms work properly.
Maybe with a Windows VM.
The prohibition on developer laptops is not just a trivial or nitpicky detail; while the security of a VM obviously still matters, as you can't simply assume that malicious software in the VM can't escape, I would assume that the policy effectively means it would also be prohibited to setup a Linux dom0 and just run Windows under that and use it as your developer workspace. The benefit of only using Windows for testing is that you presumably won't be reading emails, talking on team chat, taking video calls, opening documents, etc. inside of Windows, only doing the thing you actually need (testing.) From a security standpoint, this can be helpful. I think that Windows vs Linux security is a rabbit hole not worth debating; both are very flawed and have many challenges, nothing is a panacea. However, I would say that every OS you don't need to harden is a huge operational advantage no matter how you slice it. You effectively cut off an entire slice of the malware market, and easily the largest slice in case of Windows.
