Don't allow them to log in to work devices with personal iCloud credentials. You can limit the blast radius a bit with a restrictions configuration profile, but MDM is very limited in what it can do with AppleIDs and stuff loves to bleed out in ways you did not expect. If you want people to use their AirPods with their work Macs, they can manually pair them. 

As far as iMessage, I would strongly recommend not using it. iMessage is a DLP nightmare. You are wanting to lock down photo sync, contact sync, iCloud Drive, etc, but want to give them access to a peer to peer encrypted messaging client with no journaling options that supports drag and drop of attachment to exfiltrate pretty much anything they want? Just an example of how difficult it is to properly contain an AppleID. 

You solved most of my concerns with the AirPods not needing an Apple ID to connect to a computer. Appreciate the clarification! 

woot. got to love the easy way out. They only want the AppleID to smart swap between devices, but have no need for an AppleID to just pair up and be used.

Thanks again, that will be very useful to know as I continue planning out the restrictions I put in place.