Mesh of multiple locations like you have is simply asking for crypto to hit all the things.
Exactly what I've been telling them.
VPNs and AD the same. The mesh "should" not pose any threat because there should be nothing exposed over the mesh. But given the rest of the design, we can safely assume there are security holes everywhere and they are just trying to open more.
These are the flags that hackers look for for finding easy targets.