Windows Hello - optional

Set as "Not Configured" in the Enrollment section
Create A configuration policy, settings template, search for windows hello for business, add the proper checkboxes

assign to group, 
DO NOT enabled Windows hello settings in Entra, let intune manage it

This setting will help you with pushing WHfB but not forcing the setup.

Good question. There are a few approaches beyond the Entitlement Management suggestion above:

1. The simplest option is to set the Windows Hello for Business policy to "Not configured" at the tenant level (Devices > Enrollment > Windows Hello for Business > set to Disabled at tenant level). Then create a targeted Identity Protection policy that enables it, and assign that policy only to your opt-in security group. Users not in the group simply will not be prompted.

2. If you want users to self-enrol without IT involvement, you can combine this with a self-service group in Entra ID. Create a Microsoft 365 or Security group with "Owners can manage membership" and allow users to request access. When they join the group, the Windows Hello policy applies automatically.

3. Another approach is to use device configuration profiles instead of the Identity Protection policy. Create a Settings Catalog profile with the Windows Hello settings, assign it to your opt-in group, and set the tenant-level WHfB to Disabled. This gives you more granular control over the PIN complexity, biometric settings, etc.

The key is making sure the tenant-wide setting is Disabled first, otherwise it forces WHfB on everyone regardless of your targeted policies.

As far as I can tell, the closest you can get to making it optional is to deploy the policy enabling it to a user group created for this purpose and allow users to add themseves to this group using the Entitlement Management feature in Entra ID Governance.

Tutorial - Manage access to resources in entitlement management - Microsoft Entra ID Governance | Microsoft Learn