When adding hosts to a group, for example, does a SQL Server get both SQL Server Group and Servers - All Types assigned or is the SQL Server Group good enough? Also, is it best to use the default group or clone the group/s?
That's pretty much how I do it. The exceptions are when it makes more sense to exclude an application class from certain rules rather than create an exception.
This way it it only has to process it once.
I still have to go through the rules, modules and policies after every upgrade to make sure the exceptions still apply.
Fortunately that happens only a couple of times a year and it's usually immediately apparent if the exceptions aren't working.