MAM vs MDM
Mobile Device Management (MDM) means the whole device is enrolled and managed — appropriate for corporate-owned devices. Mobile Application Management (MAM) manages only the corporate app (Outlook, Teams, OneDrive, SharePoint) — the rest of the device stays untouched. For BYOD, particularly iOS where Apple's privacy stance and user expectations make full enrolment unpopular, MAM is the right control.
What MAM enforces
Microsoft Intune App Protection Policies enforce: PIN to launch the corporate app, prevention of copy-paste from corporate to personal apps, encryption of corporate data at rest in the app, conditional launch (block if jailbroken, block if OS version too old), and selective wipe (remove corporate data without wiping the device). All without ever touching the user's personal photos, messages or apps.