I will say this ... The loosey-goosey way in which classified documents "appear" to be handled is quite troubling. Either they are treating classified documents quite cavalierly, or boring everyday dispatches are marked ‘classified’ willy-nilly. Maybe a bit of column A, a bit of column B. There should definitely be a procedure, a log, "something" that lists who has what so that it can be returned to the proper place. I can see how easy it was for Trump to pilfer boxes of CD.
What if I told you it was both of those things combined?
There is entirely too much information that is classified. You can have 10 pieces of information/documents that are unclassified on their own, but put them in the same place and it's now all classified by aggregation. This has been the case for as long as I've been around it. Just oodles of anything that is remotely "interesting" gets marked out of an abundance of caution.
And, at upper executive levels or where your entire office or workspace is technically a SCIF, shit does get left around or treated as the rest of your work product. The former more so because at those levels who is gonna say anything or challenge an SES or DD?
Now at the grunt level where an SSO is reporting security violations or your just a worker bee that no one cares about? Yeah, it's way more cautious because your job and livelihood can be gone for one (maybe two if you're lucky) slips.