When I worked at Google over 5 years ago, mobile device options for accessing company accounts were a company-provided and company-owned device with a company-paid phone bill, a personal device with company-provided mobile device management (and sometimes cell phone bill expensing if you for example had on-call duties), a personal device with only limited browser-based work account access, and no account access via mobile.
The first of these could sometimes have implications for ownership of personal projects created using the device, which was one of many reasons I picked the second option, but it was absolutely permitted at least for any case where the company cared about you having mobile account access.
The third option - accessing only browser sites - is under appreciated. I never needed to install Google's MDM on my mobile devices, I just used mobile web gmail and so forth. It's great, honestly, and the mobile web Calendar has the advantage that it doesn't destroy your battery life like the Calendar app will.
I even saw a guy using the code review site on his mobile, on BART. That was dumb from the standpoint of infosec, usability, and mental health, but shows how much is possible in the browser.
Part of me thinks that MDM on employee phones has become a something of a checkbox item because customers ask for it but it's not clear to what extent it really protects sensitive customer data (which is what they're concerned about).
Like most normal people I have no idea what PCI DSS requires. All I know is what the PCI compliance inquisitor says it says, or really what my risk management guy says the compliance guy says it says. And what’s the difference? If he says he says it says we have to have MDM on BYOD, it’s not like I’m going to write a first-principles rebuttal.
Having the code review app available outside of the corp network / VPN is pretty unusual, at least for shops who aren't just using SaaS services that are available publicly anyway (github, gitlab.com, etc).
Nowadays, at least on Android (though I think iOS has something similar now?), one can have a work profile, and the employer can only control activity in / monitor / wipe that profile. Most employers have switched to that for personal devices.
With all the security implications there could be, I would just refuse to use or own a smartphone in any capacity if it's related to work, unless there was no camera, mic, or GPS sensor (or they could provide hardware switches).
Seriously, they could be logging your exact location, remotely activating the camera or doing any number of disgusting things.
Requiring the use of a spy should not be a factor in an employment setting, of course we're seeing this is the case and it is very offputting.
Thankfully not something I need to worry about though.
Apples iOS MDM framework is exemplary in that regard. Access to the camera is not possible. Access to GPS is only possible if the device is marked as lost, which will visibly change the lock screen. Even when lost mode is deactivated, GPS access that happened during lost mode is highly visibly marked on the lock screen.
Installing an app that relays GPS and camera may be possible, but permissions need to be granted by the user explicitly- the MDM server cannot grant those permissions.
I don't think Apple is the best at this. Yes they limit the things you mention, but they don't limit visibility to things like the app list... This can already be quite revealing in some cases.
Google has in my opinion the better approach with work profile. Only give the MDM control and visibility over the work area and nothing else.
Apple has started heading into this direction with User Enrolment but it's not sufficient for most companies as it only allows built-in apps to be used for both work and personal data. And it requires Apple account federation which is problematic.
I'm with you though... If an employer wants to manage my device, they can provide the device.