You describe the two-way trust that exists between the individual and the company. However there's (at least) a third leg - trust in each individual app that an individual chooses to install on their device. As you point out, those apps are sandboxed from each other for security. However because no one really can be aware of what those apps are actually doing on the device, that proliferation of unknowable/untrustable apps renders that entire device untrustable.
For example, how difficult would it be for an app that performs some legitimate capability to also listen on WiFi and repeat what it has heard to its server via the mobile data network? What company has the capability to intercept and scan mobile data network traffic - isn't that illegal? - or has access to some Compendium Of Bad Apps? And, since the app was installed by the user, what right (or ability) would the company have to prevent it from running on the enterprise network knowing it is bad?
I haven't seen or heard much about the ideal corporate WiFi infrastructure model to support mobile, but it seems that it ought to focus on keeping mobile devices outside of the enterprise network by only letting them attach to company Guest networks and, via per-app VPNs, enable the specific apps to connect to specific internal servers as required. All other app traffic is relegated to the Internet. This model ought to work nicely for any mobile device, whether smartphones and tablets or laptops equipped with VPNs, and enables the company to focus their network security devices needed to scan that incoming traffic at one or few ingress points for those VPNs instead broadly throughout the network.