You should really learn about end-to-end encryption. There is no private key (or symmetric key) "management". That is an 90's concept that was pushed by the statist government and corporations, but it failed miserably when PGP and similar tools came out. Private keys are stored encrypted on people's computers only.
The only possible way you can be correct is if administrators get a network backup and then crack a user's master key that is used to encrypt the private keys. You mentioned it and I considered it, but dismissed it, mainly because I decline to use the company backup (encouraged, but not required at my company). Now that you have dropped that idea and gone back to "key management" which you clearly don't understand, I know my private key is safe from your FUD. My email cannot be decrypted by anyone other than my recipients and myself.
It's been around for decades: https://en.wikipedia.org/wiki/S/MIME and I have not only used it for two decades, but I have worked on related software. It encrypts end-to-end, can only be decrypted with private keys of the recipients or sender. My email cannot be read by anyone else in the middle or in storage on the company server.