Cloud PCs are as much as part of your Microsoft 365 environment as any other device. As mentioned, they are enrolled into Intune. This allows for you to configure and apply corporate compliance policies. They are also Hybrid Azure AD Joined. This provides two signals for application of conditional access policy scenarios that can include other conditions such as risk factor or enforce multi-factor authentication. All to ensure the device is secured user is securely authenticated prior to accessing the Cloud PC.
In addition, you can use Microsoft Endpoint Manager to onboard Cloud PCs to Microsoft Defender for Endpoint for endpoint detection and response capabilities. Intune can push applicable security baselines, Windows OS updates, anti-virus policies, and attack surface reduction measures.
Intune can also be used to define additional local admins on all Cloud PCs. By default, users are not administrators of their Cloud PC. This can be done directly in the MEM Admin Center at Devices > Windows 365 > … > User Settings > Add. Select a security group and any member of that security group will be local administrators on all Cloud PCs.
Finally, Cloud PCs support controls for RDP Device redirections via Group Policy. Not all types of redirections are supported, and it differs based on what client is used to access your Cloud PC. Microsoft has these documented here.