BeyondCorp is not just a proof of concept. Everything at Google is accessed through it, including production-production (through a proxy maybe? Not sure the details). You're right about the requirement to have a hardened device -- which acts sort of like a token (as described in the BeyondCorp whitepapers). But it can be Windows, Linux, Mac, Chromebook, Android or iPhone. I never use VPN and I work on production stuff from outside the office all the time.

(FWIW, I don't think there's anything secret here. This stuff is very explicitly described in the whitepapers.)

As I understood the paper, their production version is called überproxy and has access to everything they host, as they moved their applications all on to it (notably, this means SSH now has to go through chrome).

BeyondCorp is the effort/program name, ÜP is one of the software that enables it to be implemented. ÜP is just a fancy Envoy/nginx reverse proxy.

With BeyondCorp, the production network you access does host all of the critical jobs including search. But of course you only get to manipulate these jobs in an approved way, e.g. using an RPC to bring up or bring down a job. Interacting with jobs by sending them RPCs requires ACLs naturally.

You don't get direct SSH access to production machines or any other lower level network access like packet sniffing on the production network.

A key reason why BeyondCorp actually works is hardly anybody needs to SSH to prod, and people who do need it, need it rarely. Everything at Google has rich RPC control surfaces and the tools are installed on users' workstations to invoke the RPCs. Status of everything is available via HTTP, in your browser. No need to SSH to a server to read logs or restart a process. Need to collect hardware PMU counters in prod? There's an RPC service for that. Not only do these rich interfaces enable BeyondCorp, they also cut down on insider risk because it's no longer considered "normal" to get an interactive shell session in production.