Simulation mode is supported for auto-labeling policies and woven into the workflow. You can't automatically label documents and emails until your policy has run at least one simulation.
Workflow for an auto-labeling policy:
1. Create and configure an auto-labeling policy.
2. Run the policy in simulation mode, which can take 12 hours to complete. The completed simulation triggers an email notification that's sent to the user configured to receive activity alerts.
3. Review the results, and if necessary, refine your policy.
4. Repeat step 3 as needed.
5. Deploy in production.
Creating an auto-labeling policy
Step 1: Sign in to the Microsoft Purview portal > Solutions > Information Protection > Policies > Auto-labeling policies.
Step 2: Select + Create auto-labeling policy. This starts the New policy configuration:

Step 3: For the Choose a label to auto-apply page: Select + Choose a label, select a label from the Choose a sensitivity label pane, and then select Next.
Step 4: For the page Choose info you want this label applied to: Select one of the templates, such as Financial or Privacy [Select Confidential - Finance label]. You can refine your search by using the search or dropdown box for countries or regions. Or, select Custom policy if the templates don't meet your requirements. Select Next.
Step 5: For the page Name your auto-labeling policy: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label.
Step 6: For the page Assign admin units: [Keep default]
If you don't want to restrict the policy by using administrative units, or your organization hasn't configured administrative units, keep the default of Full directory.
Step 7: For the page Choose locations where you want to apply the label: Select and specify locations for Exchange, SharePoint, and OneDrive.

Step 8: For the Set up common or advanced rules page: Keep the default of Common rules to define rules that identify content to label across all your selected locations. If you need different rules per location, including some rules that are only available for Exchange, or SharePoint sites and OneDrive accounts, select Advanced rules. Then select Next. [select Advanced rules. Then select Next]
8a. To select a sensitive information type or trainable classifier as a condition, under Content contains, select Add, and then choose Sensitive info types or Trainable classifiers.
8b. Select the the Credit Card Number sensitive info type.
Step 9: Depending on your previous choices, you'll now have an opportunity to create new rules by using conditions and exceptions. [Skip] Step 10: If your policy includes the Exchange location: Specify optional configurations [Skip] Step 11: For the Decide if you want to test out the policy now or later page: Select Run policy in simulation mode if you're ready to run the auto-labeling policy now, in simulation mode.

Step 12: For the Summary page: Review the configuration of your auto-labeling policy and make any changes that needed, and complete the configuration.
Reference:
https://learn.microsoft.com/en-us/purview/apply-sensitivity-label-automatically

Explanation:
Box 1: Yes
User1 is included in the JIT protection scope.
File1.docx has the file classification evaluation status of not evaluated, and is located on Device1.
Device1 is onboarded.
JIT will block the action.
Note: In a Microsoft 365 environment with Purview and Just-in-Time (JIT) protection, a file with a
"not evaluated" classification status will be protected by JIT. When JIT protection is enabled, Endpoint DLP will block all egress activities on monitored files while waiting for policy evaluation to complete, including when the evaluation status is "not evaluated".
Box 2: No
User2 is not within the JIT protection scope.
Box 3: No
User3 is included in the JIT protection scope.
File3.docx has the file classification evaluation status of not evaluated, and is located on Device3.
Device3 is not onbarded.
Reference:
https://learn.microsoft.com/en-us/purview/endpoint-dlp-get-started-jit

Turning on indicators is required to enable the monitoring of user activities, such as file sharing and access to sensitive data, which are used by insider risk policies to evaluate risk.
Creating an insider risk policy allows you to define risk scenarios, such as data leaks to external users, and trigger alerts when the policy conditions are met, including sensitive info sharing from SharePoint Online (Site1).
Reference:
https://learn.microsoft.com/en-us/purview/insider-risk-management-settings-policy-indicators

Explanation:
https://docs.microsoft.com/en-us/microsoft-365/compliance/dlp-microsoft-teams
https://docs.microsoft.com/en-us/microsoftteams/sharepoint-onedrive-interact