Bring Your Own Device (BYOD) MDM profiles typically don't allow personal data access outside of their sandbox, but they almost always include remote wipe capabilities.

iOS at least displays a very clear warning when you import the profile telling you exactly what it can do.

Not that this isn't awful, but it's good to be clear on what this can do when used within normal expectations.