This piece from Apple Platform Safety Information (HTML, PDF) appears to recommend that solely customers authenticated on this explicit Mac can boot it from an exterior drive:
A Mac with Apple silicon doesn’t require or help a particular media boot coverage, as a result of technically all boots are carried out domestically. If a consumer chooses as well from exterior media, that working system model should first be customized utilizing an authenticated reboot from recoveryOS. This reboot creates a LocalPolicy file on the interior drive that’s used to carry out a trusted boot from the working system saved on the exterior media.
This implies the configuration of booting from exterior media is all the time explicitly enabled on a per working system foundation, and already requires consumer authorization, so no further safe configuration is important.
One other piece: as of M1, volumes have possession. When making a second boot drive, a consent is required from a consumer on the default boot drive at hand off Possession to the customers on the second boot drive.
Which suggests that customers who “personal” an exterior boot drive could possibly be not allowed as well another person’s Mac as they aren’t on the identical hierarchy with customers on that Mac.
However I might very welcome somebody extra educated to touch upon that.
