The private key stays on the user’s computer and never leaves.
When someone sends you an encrypted email, they encrypt it with your public key. You decrypt it with your private key. Only you possess the private key.
In the above scenario, the company has your private key, too. You are using your companys email infrastructure and they can block any attempt to use a key they dont manage on your email.
In the circumstance we are all talking about, the employer has these things (the Government). Thats how they can see all of this.
No, they don't. The private key is generated in your browser and never leaves. You can mark it exportable and place it in an encrypted file but you actually have to do that. Nobody can do that but you, it can't be done automatically without your knowledge. There is no system that I know of (and I know almost everything about this topic) where a private key is generated anywhere else.