Nobody can really answer your question without knowing what you are ready to sacrifice;-)
Rootguard is not something that is designed to make sure that bridge X is the root. For instance, if I configure rootguard on all the ports of a particular bridge, I'm sure it's going to be a root bridge. However, it might be entirely disconnected from the network and break connectivity throughout my backbone!
Basically, rootguard is a feature allowing you to enforce a policy. A root port of a given bridge is the port that is connecting the subtree below the bridge to the rest of the network. By configuring rootguard on a port, you prevent it from ever becoming a root port. So the policy I was referring to sounds like: I'd rather lose connectivity to the rest of the network rather than accepting connectivity through this port. That's this policy that is missing in your post.
Typically, you configure rootguard on edge port for instance, because you'd rather lose connectivity to an edge port rather that accepting connectivity through it.
Often, you want to enforce a policy that you don't want to use an access bridge as a backup to your backbone. For example, in your example 1 or 2, you don't want to use the link sw4-sw5 as a backup path should connectivity be lost between sw2-sw3. You'd rather split your network in two rather than doing that. In that case, you would configure rootguard on the downstream ports on sw2-sw3 (f0/3, f0/4).
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...