macOS MDM on it's own is fairly okay. There is an AccessRights bit that can be loaded with the enrollment profile to allow or disallow certain actions. Certainly the protocol can be ab/used to silently install other software: endpoint detection tooling, scripts, etc. and to suppress protections normally built-in to the OS that would normally gate background usage of apps that crawl certain file paths, etc. So on it's own, no issues. Combined with 3rd party tooling, poorly written scripts, etc. dangerous.