She likely wasn't using separate work and personal profiles. That's a fairly new innovation. I've been using Android since the first public device was sold and only started doing it with the Samsung S10 5G. Most people just accept company MDM on their personal profiles and install everything in the same place.
This isn't that hard to understand. In order to access corporate email systems, you have two choices generally. Either you use a Corporate Owned device or you use a Personal Device but allow Corporate to do what they want to it.
In either situation, the corp has the ability to remotely wipe the device and enforce other policies on said device.
This should be abundantly clear to anyone who works in Tech.
And to anyone who believes that corporations have a responsibility to protect the data they collect (and should be held civilly, if not even criminally liable for breaches), anything less than having complete control over devices holding corporate data is corporate malfeasance.