Apples iOS MDM framework is exemplary in that regard. Access to the camera is not possible. Access to GPS is only possible if the device is marked as lost, which will visibly change the lock screen. Even when lost mode is deactivated, GPS access that happened during lost mode is highly visibly marked on the lock screen.
Installing an app that relays GPS and camera may be possible, but permissions need to be granted by the user explicitly- the MDM server cannot grant those permissions.
I don't think Apple is the best at this. Yes they limit the things you mention, but they don't limit visibility to things like the app list... This can already be quite revealing in some cases.
Google has in my opinion the better approach with work profile. Only give the MDM control and visibility over the work area and nothing else.
Apple has started heading into this direction with User Enrolment but it's not sufficient for most companies as it only allows built-in apps to be used for both work and personal data. And it requires Apple account federation which is problematic.
Installing an app that relays GPS and camera may be possible, but permissions need to be granted by the user explicitly- the MDM server cannot grant those permissions.