What you are seeing is correct and expected. To sync the MDM policy from Intune on a HAADJ Windows endpoint, you need to select the on-prem AD domain in Access work or school, click the Info button, scroll to the bottom, and click Sync.
Because you only have the Endpoint Security workload switched over, only profiles and settings related to Endpoint security will apply.
Also note that co-management and co-management workloads have nothing to do with group policy and won't in any way arbitrate or prevent group policies from applying. You need to control this using group policy targeting constructs like OUs, security filtering, and WMI filters.
Finally, it was never "SCCM" and has always been (at least since it was SMS) and still is ConfigMgr.