What data can be wiped? All data on the device can be wiped, it can allow Outlook (actually Exchange server, hosted Exchange server in the case of Office 365) to perform a full factory reset without your intervention, meaning no PIN, no password, or other intervention from the user. If someone issued an erase all data command from the Exchange console to your device, it would be completely factory defaulted and you could not stop it. - Source is personal experience as a system administrator, and Perform a remote wipe on a mobile phone. This has been a feature in Exchange for well over 10 years so it is nothing new.
That sounds super scary, but in reality this is extremely common with connecting to any Exchange server, and although I personally think the other restrictions on this particular account are extreme, they are not uncommon, and maybe appropriate for your organization. The intent of these permissions is to secure your organization's data, plain and simple.
In my 25+ years of experience working in IT, I have only ever heard of this feature being used maliciously once but the company involved got sued for a hefty amount (again, this is hearsay, I cannot prove or document it to be true or false). My point in saying that is that illicit use of this feature is extremely rare and should not generally be considered a problem or issue worth worrying about. That said, I have heard more than one story of an employee being terminated and a wipe command issued and they lost all of their own personal data, that is considered acceptable and legal in most cases. I have been in situations where this had to be done, and if at all feasible we warn the employee that they must immediately delete their corporate account from their device, and have 24 hours, or until the end of the day, then we will issue a device wipe. If the account has been removed from the device, nothing will happen, if the account still exists the device will be wiped. This is really only an issue where organizations allow BYOD (Bring Your Own Device), organizations where data security is of the utmost importance generally do not allow this and will issue devices with this and various other security measures implemented.
Remember that if someone did issue a wipe command to your device, it would be logged, and if it was done maliciously then the most likely result is that person would be terminated immediately, if they were not I would strongly reconsider whether your employer is correct for you.
And you do not need root to "bypass" this restriction, just install an isolated Exchange client like Nine (as an example) which will allow full access to all Exchange services (email, calendar, contacts, etc) and give permission to Exchange to wipe the account information, NOT the entire device, if Exchange sends a wipe all data command, Nine will wipe all data related to that Exchange account. Be aware that using such a client, or a feature of your device that prevents this feature, may be in violation of your corporate security policy and you should verify that with your organization's IT staff. In many organizations, violation of IT security policy can be grounds for termination.
