Some information is sensitive enough to require more active measures. Though you can conceivably handle this through mail flow rules, both Microsoft 365 and Google Workplace have built-in compliance settings to monitor Social Security Numbers, Driver's License Numbers, Credit Card Numbers, Tax ID's, etc., both in terms of how and where it's stored and how it's transmitted and to whom.
In Microsoft 365, from the sample below, the Admin Console Compliance Center has a Data Loss Policy area that has pre-made templates for PII, HIPAA, finance, and others. In a few clicks, you can walk through setting up the option to disallow the sending of this information based on thresholds. For example, it can be set to disallow sending infromation through email or Sharepoint if there are more than 5, 10, 20, 100, etc., SSN's included in the message or document. Or, it can be set to allow, but send a supervisor a notification. These policies can be set up to apply to data shared to internal users, external users, or both.
In Google Workplace, DLP is handled through rules in the Security section of the admin console. Specific instructions walking through setting up DLP rule triggers
can be found here