Your personal device isn’t so personal.
The short answer – it depends. If it’s truly your personal device, and the company simply reimburses you, then you’re fine. The contract of service is yours, so all the non-work activity (that takes place OUTSIDE of the company servers, email systems, etc.) is also yours. So you’re safe.
However, and this is a big however, if you think you’ve violated the company’s acceptable use policy and A) the company provides the phone or B) the illicit activity happened via the company’s network (i.e. while you were VPNing) you’re probably screwed. They have the full rights of policy enforcement and access to all digital activity that occurs from the company owned phone, or activity executed via the company owned network. Period.
So if you’re in the safe category, get your own damned phone. And if you’re in the unsafe category, wipe the phone (not that it’ll matter) and hold your breath.