First it depends if you are routing in the MX or on a switch below it.
Usually if you have general rules that apply to entire networks then just put them in the general firewall outbound ruleset. If you need your clients to dynamically authorize on the network but they all follow a same kind of ruleset as explained above I would just let your radius server define the VLAN your client is on and not apply a group policy.
However if you have a few special clients that need a complete different firewall ruleset then you can use a group policy for that.
However you'll find the custom firewall inside group policies to be a little less flexible with mixing port ranges and commas because group policies must also fit onto a switch or access point which have far less flexible rulesets.
Also if you would have a L3 switch below your MX and you also have access points then group policies will be applied on the AP instead. In that case it might be a good idea to split your network between MX and AP/Switch and track by IP address on the MX network. So you are always sure where your policy will be applied for both AP and Switch clients.
Finally as best practice on your general ruleset. Start off with some default rules and try to only use them once. So one rule for HTTP/HTTPS traffic and make sure all your source clients are on that one rule. You can use policy object groups to make it more concise.
After you've done the usual rules, http/https, dns, ntp, mail in, mail out, apple push, whatsapp and all that jazz, you can start with custom rules then.
For interVLAN traffic if you are routing on the MX then just put those before the internetbound rules and group those rules per sourcing VLAN to make it more readable.
