Sure, they could do that - but they can't do it if you only allow compliant devices to sign in - even with Company Portal. Normally, everyone makes an exception for Company Portal, so that devices can be enrolled - but you don't need to make such an exception and if you don't, nobody can log in until after the device is compliant, and they can't make it compliant because they can't log in.
You have near infinite possibilities MEM/Intune conditional access to decide which devices can go through enrollment, for example you might require them to be at the office during enrollment, or to have a certain serial number... all you need to do is make sure that a personal device can never reach conditional access compliance, and require a compliant device to sign in.
If you only have or allow Mac devices, you could simply make a compliance policy that doesn't include Windows PCs.
However, these near infinite possibilities also make it easy to accidentally create very convoluted rules. So be careful.
