It is intended to provide baseline protection for paid tenants who have not complete configuration in the same way that default policies do for anti-malware, anti-phish, etc... The feature was implemented as a separate template instead of just as default policies to allow for exclusions in cases where not even baseline protection is desired, as opposed to default policies that automatically apply to every user not in scope for a custom policy. We understand that this will lead to some overage, however, there is currently nothing in product today, to prevent a tenant with 1 license from scoping their entire tenant into MDO policies. We understand that the default on behavior is different than a customer having to explicitly make that decision to scope their entire tenant in, but we are optimizing around ensuring that every paid user is protected even if it means there will be some overage.