The idea is that by preventing people from using these services from within their work-related Managed Apple ID, the natural security of the devices is enhanced. It also means you can deploy your own digital employee experiences on the devices, including use of company email.
Of course, employees with devices that support both personal and managed Apple IDs also have access to all their own personal iCloud services, but not from within your deployed mobile work environment.
What about Personal Apple IDs?
Sensibly, Apple does not let IT restrict use of iCloud on personal devices; someone can access their own iCloud account from any Apple device.
What Apple does allow is some control of iCloud access from devices enrolled in a company’s MDM system. Using Apple’s provided MDM restriction keys, companies that don’t use Managed Apple IDs can block access to specific iCloud services from a given device. This is a little like using a hammer to crack an egg, but you can block access to the following iCloud services: Address Book, Bookmarks, Calendar, Drive, Keychain, Mail, Notes, Reminders, Photo Library, and Private Relay.
The downside is that by blocking access to these services you effectively limit what your staff can do with a device that is for all intents and purposes their own device, using their own Apple ID. Many workers would likely feel this to be an unwanted intrusion into their personal devices and see such moves as displaying a lack of trust. (IT admins could, of course, argue that they feel forced to deploy such restrictions to prevent exfiltration of valuable corporate or personal data.)
Which approach is best?
For me, if you do need to restrict access to iCloud services across your teams, it feels more appropriate to impose those restrictions via a Managed Apple ID. Doing so provides the maximum benefit — you can control and restrict device use that relates to your business, its services, and data, while also permitting personal use of that device.
