For your scenario, I agree, separate ad-hoc encryption is required (e.g. external addresses).
The systems I administer use Microsoft DLP which uses our existing Office 365 cloud infrastructure. You can set up certain trigger words, sensitive information categories, external address activation, encrypt only if a specific sender, manual activation etc.
There’s a good video which explains Microsoft’s solution but it also explains the general principles of all vendors’ DLP solutions in case you’re not familiar.