Ok, fair point. However, I would consider any MDM-enabled device fully "compromised" in the sense that the org can see and modify everything I do on it.
An MDM orga cannot install a trusted CA on non-supervised (company owned) devices. By default on BYOD these are untrusted and require manual trust. It also cannot see everything on your device - certainly not your email, notes or files, or app data.
As someone who has an MDM-managed device, I beg to differ. Although, this one uses newer style android MDM, which involves factory resetting and doing special things during OOBE. Even if it used the older style, nothing's stopping the app for requesting file access, notification access, etc. and not working until you grant the permissions.
Nothing is stopping any app from the Play store to request any particular permission, not just MDM apps, right? And yet, no app can read arbitrary filesystem data including random app data without your device being rooted first.
If anything, one of many MDM purposes is to prevent orgas from enrolling rooted devices in their fleet.