They used to require that you enable it and it would send a notification out to all users of your Slack instance ( they also wouldn’t have access to data prior to that without a legal request) but now they just let you enable it silently.

They are only secure so far as everyone in the DM or private channel is employed. The company can always take over old accounts and get access to DMs that way.

If everyone has to use corporate email addressees they could just take over the emails temporarily to reset the password. If they really cared they could do so without the user ever knowing. They could also put language in their employee handbook or contract saying that you have to give them your password and fire for refusing... however, I fail to see how any of this is an issue since this is the company Slack and they have the right to see how people are using it.