Catalina on HDD MBPro: how to secure erase free space

Since you are running Catalina the "Macintosh HD" contains the macOS system files which is located on a read-only APFS volume now. If you want to erase the free space you need to do so on the "Macintosh HD - Data" read+write volume containing the user folder(s). I believe with Catalina the default mount point is in "/Volumes".

About the read-only system volume in macOS Catalina - Apple Support

It would be easier to just enable Filevault so no one without your admin password would be able to access anything on the hard drive even if the laptop is booted to external media.

I've heard that the Disk Utility GUI has removed the secure erase feature because the majority of Apple systems are now running SSDs where you have a limited number of lifetime writes available before wearing out an SSD. I don't know if "diskutil" is similarly affected even if you are using a hard drive. What error message do you get when issuing the command?

Just checked a fresh Catalina install and the "Macintosh HD - Data" volume appears to be mounted at:

/System/Volumes/Data

I don't recall this so I wonder if a later update has changed the mount point. You may be prompted to allow the Terminal to access the volume (or some folders within it like the Desktop, and other folders).

I'm probably less technical than either of you, but my understanding is that it might be unsupported on SSDs for the reasons stated earlier...old-style secure erase passes are considered a waste of writes and SSD lifetime, especially when encryption is on, for the reasons expanded on below.

When encryption is on, the goal is already achieved already. What old-style secure erase passes achieved was obscuring the data previously written at those locations by overwriting them so that the next person who tried to read it would see gibberish. When good encryption is on, anyone who does not have the encryption key will see gibberish on the SSD, so the job is already done.

If the point is to "secure erase" specific memory locations even when encryption is off, that was easier with hard drives because their drive heads were much more likely to write files directly to specific memory locations as contiguously as possible. But the way SSDs work to do things like wear leveling, files are much more likely to be scattered in a million pieces distributed a lot more widely across the SSD...very difficult to recover even if unencrypted. Also, there is an abstraction layer between the OS and the controller that means where any software tells the SSD to write might not be exactly where they expect, making it difficult for a software utility to verify that you actually erased what you meant to. (Translation: A secure erase of an SSD cannot be guaranteed to be 100% effective) If the point is to secure an area when the encrypted SSD is currently unencrypted because a valid key was entered, some would probably argue that secure erase is pointless if someone already has access to the entire rest of the account.

The two links that were most informative on this are this one

https://apple.stackexchange.com/questions/146733/why-is-a-secure-erase-not-necessary-for-ssds

which led to this very informative one

https://security.stackexchange.com/questions/5662/is-it-enough-to-only-wipe-a-flash-drive-once/5665#5665

The role of the AES key is also interesting; even if you don't use FileVault it is still a key that is used with that abstraction layer, so if it's reset, nobody's going to recognize the data that used to be on that SSD anyway because the map connecting all the tiny scattered little pieces of data is gone.

After reading those I'm even more convinced that trying to secure erase an SSD is either not necessary, or not effective if attempted.

I'm guessing the erase freespace feature isn't supported with an APFS volume. Apple isn't known to be great at providing proper documentation.