Hi @whistleblower, here’s my take on your questions based on experience. Happy for others to advise if they’ve had different outcomes.
1. Yes, local configuration overrides network-wide configuration, but I’ve never seen a warning message if the two don’t match. I’ve only seen warning messages if there is a communication issue with the Meraki cloud.
2. There is no automatic tagging for the management VLAN across the network. You have to get the traffic to/from the switch. Based on this I always find it easiest to have the management VLAN set as the native on all trunks that are uplinks.
3. Imagine the management address as an access port on the switch. It doesn’t care which VLAN it is, only if there in a path to a DHCP server on that VLAN. Since it’s an ‘access port’ it’s always untagged, whether it’s tagged or not on another port depends on that port’s configuration.
4. The definition of a safe configuration is a few paragraphs further up in that document, “Safe configuration means that ‘the device has connectivity to cloud and hasn't rebooted for 30 minutes following a configuration change.’ That is, the safe configuration is the last configuration the device received from the cloud that was not followed by a reboot within 30 minutes.” A ‘not safe configuration’ is just the reverse - I.e. one where no connectivity to the cloud has been achieved.