They should not be domain admins, because the built in group is designed for people who have complete, unrestricted access to everything in the domain. You can make it annoying for them to get at data, but they can always do it.

Denying them permissions does not work because they can take ownership. Denying the right to take ownership doesn't work because they can reset the rights back to a default setting.

Encryption will not work because they can name themself as a recovery agent and get encryption keys from any other user in the domain.

If you have people that you do want to be domain admins, dont put them in the group, make a junior admin group and give them appropriate rights or something along those lines.