There are many reasons.

* Preprovisioning - devices have the right certificates and know about your corporate networks. They have the necessary apps and just work.

* Tracking - if a device is lost or stolen, monitor where it is and remotely lock or wipe it

* Monitoring - have a log to audit if someone does something malicious

* Security - reduce the chance of your employees installing malware, spyware, etc. whether by accident or intention

* Locking things down - put gates in the way of bad actions like copying sensitive data into public apps or clouds. Even if you're unable to block everything, attempts to block remind honest employees and provide strong evidence that anyone who proceeds was intentionally violating policy and should be fired.

Etc., etc.

A lot of it is compliance. To get some types of customers you need to pass some security compliance certification or checks, which often have requirements like only giving access to crucial infrastructure when devices are up-to-date, the possibility to remote-disable/erase a device when it is stolen, some kind of anti-virus installed (yeah, I know), etc.

I can understand the underlying reasons, you would be surprised how many employees have bad security hygiene, which becomes an issue when they have access to high value information, tokens, etc. But since they often somewhat draconian rules, they tend to have bad side-effects (similar to password reminders). E.g. Linux users will often set up ClamAV to fulfill the anti-virus requirement. However, ClamAV parses untrusted data in C code without any sandboxing, so it probably opens a new attack vector (as opposed to Windows Defender, which as far as AFAIR uses sandboxing or a micro-VM to parse untrusted data).

The most clear and obvious use case is for school computers. You do NOT want to provision student devices en masse without protections (for both the students and the district). I envision this is a deal breaker right now that Apple is dealing with.

Even if your Corp doesn't want to do full user surveillance, there's still a lot of advantages to group policy. Roll out new software instantly, SSO enforcement, remote troubleshooting, etc.

ever worked in IT support? letting people customize their environment both increases the amount of support that users require, and increases the difficulty of providing that support.

a laptop in a stock configuration can be swapped out for a new one when it breaks. a laptop that has three years of accumulated customizations installed on it means that the employee wants their laptop back when it breaks, and they want it fixed ASAP.

when you're supporting a user who doesn't know how to type a URL into their web browser, it's a whole lot easier if you don't have to start that call with asking what web browser they're using.

Regulatory compliance. If you want to sell your product to the UK, for example, you have to (see: UK Cyber Essentials). The more you try to expand your market, the more regulations you will run into that are solved with spyware and locked down computers.

SOC2 requires to ensure all computers have the software updates installed. While certification apps can check every desktop with a monitor, ABM could just do it and enforce it.

SOC2 also encourages SSO.

Single-sign-on is actually useful.

Most of the rest of this stuff .. well, who is responsible if the laptop is compromised?

Because corporations like to control their peons. I'm sure your work laptop is laden with the same kind of corporate bullshit, it's just that MS Exchange stopped being a hot topic like 25 years ago.