Your domain is company.local, what happens if someone renames their Mac to company? What do clients looking for company.local resolve that name to? Why do you want to put yourself in the position of causing problems when the fix is simple and well known?
The root would be companyroot.local, and the actual domain would be subdomain.companyroot.local.
If a Mac user causes a problem, I go and fix it, and tell them not to do it again, with a big stick -- in other words, I have control over my environment. In your example, every client on my network is pointing to *my* DNS servers, so the fact that there is a rogue computer on the network is irrelevant to me.
What happens if a Mac user shows up with a digger and digs up the front of the building and disrupts the internet connectivity of the building? Blame it on .local!
Sorry... getting a little carried away here. Let me know if I'm coming across rude or aggressive -- I'm not trying to be. It's just one of my little pet peeves that occasionally gets the chance to rear its ugly head.