Master ownership of Android devices

The 2nd hand aspect of your concerns does add a little more to consider, but there are still ways and means with a few limitations.

As Moombas points out, zero-touch is reseller based. It is entirely free to use providing you've purchased the devices new or used from a reseller in the first place. Zero-touch won't alleviate FRP causing issues alone, but it will redirect devices into management any time they're factory reset.

On the subject of management, it's not always expensive. Consider Miradore as an example, they have a basic plan for free with no device limit. Other platforms, such as mambo EMM, Appaloosa or Wizy EMM offer limited/low cost options on a rolling monthly basis, and cover all basics for device management.

When devices are managed, again as Moombas points out, restrictions on accounts added to the device can be put in place, but more than this, you as the admin can mandate a specific account on the device to enforce FRP, or disable FRP all together, and users with the devices (or those who get hold of them) are powerless to change this, as the management agent enforces the policies. This extends also to mandating medium to strong password requirements, and also the ability to remove a password remotely as the administrator of the managed device.

For consumers and devices that won't be put under enterprise management, well it's no different to any other asset. If you lock your front door with a piece of rope, someone will cut it and gain access, after which they can wreak whatever havoc that comes with accessing a person's home. If you secure your device with a pattern or simple pin code and leave it around for someone to gain access to it, they will. At least with a device, a proof of purchase is normally enough to get FRP removed by the manufacturer on request.

Multi-user is still a thing, by the way, it just needs to be explicitly turned on for most modern handsets.