Allow Zero Trust users to route all traffic via WARP

Currently for performance/reliability reasons we have a WARP split tunnel configuration for Zero Trust users. However, this might not be the most secure for users working from an insecure internet connection (e.g. public WiFi). Would it be possible to allow users to choose to route all traffic through WARP while preventing them from changing all settings?