Announcing Public Preview of Inbound SMTP DANE with DNSSEC for Exchange Online

SteveTH 
1. No, as I understand DNSSEC your whole DNS chain must support DNSSEC, starting with your SOA. The whole chain must be trusted otherwise the attack can be performed on a higher level. 

2 & 3. Good point, I would assume so. But I do see a remark (limitations remark 4) that the contoso-com.mail.protection.outlook.com A-records would be removed after GA, but those FQDNs are mentioned in articles such as: Set up connectors to route mail between Microsoft 365 or Office 365 and your own email servers | Microsoft Learn I'll check with IanMcDonald 
That would break hybrid mailflow and partner connections if that FQDN is indeed used and eventually removed. It might be required to update all *.mail.protection.outlook.com entries to *.cloud.microsoft, but in a sense this is independent of DANE.

4. I would go with #2 if you are sure you won't have to switch anymore. MTA-STS only compares this policy value with what the MX record says: in a sense the policy specifies the valid MX FQDNs. Both are Microsoft 365 endpoints and can both be trusted. As this is currently a public preview, you could consider keeping #1 for the time being until GA as it's always possible some unforeseen issues arises and you need to switch back to the old MX record.