Security defaults make it easy to protect your organization with the following preconfigured security settings:
Requiring all users to register for Azure AD Multi-Factor Authentication.
Requiring administrators to do multi-factor authentication.
Blocking legacy authentication protocols.
Requiring users to do multi-factor authentication when necessary.
Protecting privileged activities like access to the Azure portal.
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults

Explanation:

Microsoft's sensitivity labels (Microsoft Purview Information Protection) support user-driven labeling: "Users can manually apply sensitivity labels to files and emails" and organizations can also configure automatic or recommended labeling. This confirms that end users are permitted to choose a label themselves when policy allows. Microsoft also clarifies the cardinality for items: "A document or email can have only a single sensitivity label applied to it at a time." Therefore, applying multiple sensitivity labels to the same file is not supported (labels are mutually exclusive on a given item). In addition to classification, labels can enforce protection and visual markings: "When you configure a sensitivity label, you can add protection settings such as encryption and content marking (headers, footers, and watermarks)." Word, Excel, and PowerPoint honor these content markings, so a label can automatically stamp a watermark on a Word document while embedding the label metadata for persistent protection. Together, these authoritative statements from Microsoft's SCI documentation establish the correct responses: Yes (manual application), No (only one label per file), and Yes (labels can apply watermarks).

In Microsoft Purview (Microsoft 365 compliance), a retention policy applied to a SharePoint site keeps content for the specified period (e.g., 1 year) even if users delete it. Items are retained and recoverable until the retention period expires, meeting your preservation requirement.

Microsoft 365 Information Barriers are compliance policies used "to prevent certain segments of users from communicating or collaborating with each other." In Microsoft's guidance, IB policies are designed for scenarios like insider trading restrictions, M&A deal rooms, or research-sales separation, where it's necessary to block chats, calls, and collaboration between defined user segments. The documentation explains that when IB policies are in place, "users in the blocked segments cannot search, discover, or communicate with each other in Microsoft Teams," and IB v2 extends these controls to additional collaboration workloads such as SharePoint and OneDrive. By contrast, email restrictions in Exchange Online are addressed through mail flow rules or other Exchange features, not information barriers, and restricting unauthenticated access or external sharing is handled by identity access controls and sharing settings, not IB. Therefore, the specific use case is restricting Microsoft Teams chats (and related collaboration) between certain groups within an organization.