Can you have spoke sites configured with a default route out to the internet locally and not through the central hub or hubs?
From what I see configuring all sites as hub becomes a nightmare when site to site VPN's get advertised to all other hubs (including VPN's to external organizations). I know you can permit or deny but it's so much work.