If I understand you correctly. You could create a custom intune role and assign it to the user group and add the scope tag to it. so only devices etc with that scope are visible to the local country admin
Nicola created a blog about this some time ago.. (if this is what you ment)
Fnod could you provide some more details on your requirement?
I have a customer that also has a requirement for local IT to support their own devices. We weren't able to create dynamic groups (through name of Autpilot tag). I created a script that retrieves the primary user of a device, checks the 'Company' field of that user and then adds the device to an assigned group.