At my company we’ve just outsourced our IT and MDM, and have had to rethink allowing personal Apple accounts on Macbooks. Our devs (all on Mac) have had their local admin revoked, and the MSP now has admin access to all machines.
It is not clear whether a separate local admin account (that can presumably access root) can access the Apple ID accounts, keychains, or locally synced iCloud directories of users. Common sense says yes, because root is root; but I know there are additional levels of access control above root on macOS, does anyone have a definitive answer?
(I’d rather not discuss the merits of personal/company AppleIDs on company machines or whether devs should have local admin, these topics have been done to death.)
Short answer: The MSP admins will at-least-mostly have access to all users' files (including those stored in iCloud), but not users' keychains.
Long answer: Recent versions of macOS have added some pretty strong privacy protection layers, but they're oriented toward protecting users from the software they install. If an app wants access to privacy-protected data in your account (e.g. contacts, photos, files in many parts of the home directory, etc) it has to ask the user to grant it permission. See "What and how does macOS Mojave implement to restrict applications access to personal data?" (but note that the protections have been extended since Mojave).
But these measures are all oriented toward protecting users from their apps (and by extension, the apps' developers), not from other users on the same system. Protection from other users is all based on regular file permissions, and root bypasses them as usual. An admin might need to grant the app they're using something like "Full Disk Access" in the privacy controls, but as an admin they're allowed to do that. They might also have trouble getting at iCloud files that haven't been synced to the local disk, but I wouldn't count on that as offering any real protection.
Note: root is not quite all-powerful, since there's another protection layer, System Integrity Protection ("SIP"), but that (as the name implies) protects the operating system, not user data.
Keychains are different because they're stored encrypted (based on the user's login password, so they can be auto-unlocked when the user logs in). Even when unlocked, access to them is pretty strictly controlled (and the controls are protected by SIP). I won't say it's impossible for an admin to get access to other users' keychains, but I think it'd take pretty extreme methods, like installing a keylogger to capture the user's password or maybe a spyware kernel extension (though Apple's limiting those too).
BTW, a sort of intermediate approach occurs to me: if they wanted to, your devs could create additional iCloud accounts for work use, make them members of their personal account's "family", and use family sharing to allow partial access to their own iCloud data (and purchased apps). I'm pretty sure Apple doesn't approve of this method, but I don't think it'd do any real harm.
BTW2, you should also be aware that Apple supports are two different levels of MDM enrollment, supervised and enrolled-without-supervision. Supervision is essentially intended for company-owned devices and grants the MDM system more control and access to the client devices than would really be appropriate in a BYOD scenario. See "About Apple device supervision" and "MDM restrictions for supervised Apple devices". Choose wisely.