How to configure Intune to not allow remote wiping of personal devices

I’m a journalist seeking to do a story around best practices for configuring Intune, in the wake of last week’s destructive attack against Michigan-based medical device maker Stryker. It looks like attackers gained admin-level access to Intune and used it to wipe employees’ personal devices that were enrolled in Intune.

I was speaking with someone who has recent Intune administration experience, and his take is that like other UEM/BYOD/endpoint management tools, none of this software should be configured with the ability to fully wipe a personal device. Instead, it should be only placing sandboxed apps or directories onto a device. Only this sandboxed stuff should be remotely nuke-able. His supposition is that if personal data can be wiped, then either the Intune admins set it up incorrectly, or their documentation for employees who self-configure didn’t specify how to add their device but not give Intune full wiping capabilities.

My questions:

1) Is it possible to configure Intune so that it doesn’t have overly broad permission to wipe an entire, personally owned device?

2) How exactly would one do that (on either Android or iOS)?

There’s lots of “ditch Intune” chatter on Reddit now, supposedly tied to CISOs/executives reacting to the Stryker attack. So I’m seeking clarity around whether the tool can be configured to not remotely wipe personal data, even if other defenses that should be in place (such as requiring multiple admins’ approval before wiping devices, setting alerts if more than a few devices get remotely wiped at once, and so on) aren’t there.