This is true of most phones, but not the Nexus or Pixel devices. If Verizon had modified the P2XL firmware, Verizon would be hosting the firmware package. However, if you head over to Google's download pages for Nexus and Pixel devices, you will find the current firmware package available for the P2XL. There are two variants there. One is for Telstra devices, but the other is for the rest of the world, including Verizon. I don't recall instances of Google Store-purchased devices using Verizon SIMs ending up bootloader locked. Thus the bootloader included within the firmware package is not locked.
The problem people on this thread are having is they are unable to find the trigger that locks the bootloader. I can only speculate here, but I think during the "checking for updates" process in Android setup, the setup routine transmits the IMEI to Google, which then compares it to a list of Verizon devices. If a match is found, either a command to encrypt the bootloader is sent, or an encrypted bootloader is silently installed in place of the unencrypted one. Setup than continues. This ability to directly update the device during setup has existed since at least the Nexus 6. Prior to that Samsung had a similar setup that pre-installed specific apps based upon the region code of the device, but the Samsung setup was easily modified by changing the region code.
The net result is a device with a locked bootloader. And yes, Google did agree to the locked bootloader, as it likely was part of the sales agreement between Google and Verizon. That agreement likely also precludes them from ever unlocking the bootloader.