Admin, Mobile, Managed are just types of user accounts with different abilities/restrictions. Her user account is a "network" mobile account, which are mostly all managed, and has been elevated to an admin account.
MDM is indeed represented by the MDM profiles installed.
Correct - almost always, the MDM profiles are not removable by the end-user. The can only be removed by the IT department that installed them with their MDM system. Even if you erase the Mac, when it goes through setup, it checks with Apple's Device Enrollment Program (DEP) server to see if it is a consumer-owned device, or owned by a business/educational organization. If the Mac's serial number in DEP is registered to a company/educational institution, it is "pointed" to their MDM server, which remotely configures the Mac with their assigned setup configuration, including management admin accounts, profiles, default software, etc. If it is lost/stolen, it can be remotely locked/wiped to protect data. Also, if the user leaves the organization and leaves their Apple ID signed in, or somehow they activated a firmware password, they can be deactivated/removed without needing the user's Apple ID password. MDM is also used to deploy other Apple devices, like iPhones/iPads/etc., and can hide or prevent access to iOS apps, make the device operate in kiosk-mode, in which you cannot get to anything but a single app, etc.
It's a pretty amazing system, and ensures that company-owned devices are of no use to thieves, and they cannot be wiped and resold without the institutional owner removing their MDM profiles and the device's serial number from their DEP account with Apple. Google also has the Google Enterprise Admin system, which has similar control over Google devices such as Chromebooks and Android tablets/phones. You can even limit account logins on Chromebooks to accounts from a single email domain to prevent tampering and theft.
And, I won't even get into CIPA-compliant DNS/Internet filtering, GPS location tracking, user/application and network/Internet activity logging, network VLAN restriction, etc.
These days, it's best to do work stuff on work devices, and personal stuff on personal devices.
Hope I didn't scare you too much!
C