Coming from a lab perspective where it has Enforce, CDS for WSS, and CDS for CASB: CloudSWG only wants to know if there is a CASB gatelet activated and if so it knows to route that over to CASB gateway. From there, CASB does whatever it will do based on DLP policies, if there isn't a gatelet activated, then CloudSWG knows to run it through all it's policies and to use the CDS for WSS instead. Cloud traffic never goes on prem nor uses on prem resources for the inspection process. We leverage GCP infrastructure to do the heavy lifting for this process.
As for Cloud Managed DLP or CASB/Enforce hybrid, both scenarios use the CDS Rest detector in the same way to handle content inspections. In both setups, the CDS is always aware of any policies created.
What this means is that traffic flow remains in both scenarios (with or without enforce) as the following: End User Device > CloudSWG > CloudSOC Gateway (assuming a gatelet turned on) > CDS > O365 infrastructure.
Here is a traffic flow diagram: