AMA: Managing Windows with Microsoft Endpoint Manager

Hi, I am confused about support statement of Compliance policies in MEM and so called "devices enrolled to multiple users" (quote from this article: https://docs.microsoft.com/en-us/mem/intune/protect/create-compliance-policy#before-you-begin). Premier Support engineers interpret it in a way that if somebody else rather than primary user ever logs in to the device - it leads to unsupported state for compliance evaluation. And in case of any issues workaround is to re-enroll to MEM. The reason behind as i understood it that after configured in "Compliance policy settings" number of days a compliance status for one of the user accounts (who logged on once long time ago end never came back) "expires" and device doesn't satisfy the Built-in Device Compliance Policy. But we cannot technically disallow other people to sign in to domain joined (or AAD joined) devices. It means that any device can become unsupported at any time without our control. For 'Shared' devices Support proposes to configure them as either 'Kiosk mode' or 'Shared PC mode', but both of them are kind of special user experience.... Not intended to be assigned to everyone... It seems not logical to me that compliance policy controls which are all about device status are evaluated and stored separately for each user instead of just keeping track of most recent status of compliance check per computer. Do I get everything right? Or you see it differently? Because if it is how I understood - then compliance policies for Windows are hardly usable in conjunction with Conditional Access.