Why our users are getting local admin access on devices when the device runs through Autopilot profi

What enrollment method are you using ? Even if you create an Autopilot Profile, if you use autoenrollment your users will always end up Local Admin. You can check the enrollment method by it's profile assignment in the device once it is enrolled... (look at the Enrollment blade in the device details).

Another solution would be to setup a "Local user group membership" profile in your Endpoint Security blade (Account Protection) to make sure that only the default groups have local administrative privileges.