Best Practices for Azure AD-joined PCs and Global Admin accounts
Am I correct in assuming that I should do the same with AAD - take away their Global Admin rights on their regular accounts?
You are absolutely correct. This isn't specific to Office 365. This is standard best practice. They (and you) should log onto your computers with "standard" Office 365/Azure AD user accounts (no Office 365 or Azure management roles), and you should use dedicated, named Global Admin accounts for tasks that require that role.
Are there safeguards in place? Only if you put them in place. One of which is using the Office 365 security defaults and also implementing multifactor authentication for all accounts that have Office 365 or Azure AD management roles. A Global Admin is a Global Admin and has all the rights, permissions, and abilities of a Global Admin. There's no protection mechanism to say "Oh, this Global Admin is logging in from an Azure AD joined machine so we'll restrict their Global Admin ability."