In my experience, they are seriously enforced, though any time you have a large number of people you'll definitely find exceptions. The threat of massive fines and long jail times tends to encourage compliance. Also, many of the people who work in SCIFs know they are dealing with information that, if released, could lead to a number of people getting killed (think intelligence sources) or a country being unable to defend itself because a US weapon system was compromised (think Ukraine). Nation-states are working to extract information from SCIFs, it's not a theoretical problem, and SCIF users know this.