It's not such a bad idea, (not for the reasons given). If a machine is locked down at the local level it can be considered 'secure by default'. You can then use GPO to open the things you want, rather than the other way around. Even if the local admin account gets cracked there is no way around this - because local GP prevents it. I've seen some university default images set up this way. A lot more work though.
One of ours is so bad its funny. One of his "great" recommendations was to only use local policies as domain policies create too much network traffic! lmao