Policy for when/how to allow end users to create and manage SharePoint sites

In sharepoint online world end users are able to create sites such as team sites and communication sites. but i am not sure if we should really allow this to happen, as on some tenants i have been working on, and where end users are creating sites, i have noted that these sites have many major/minor problems as follow:-

1. Users are granted permission to add/edit/delete items and pages through the defualt members group, which will grant them "Edit" permission level. so members are able to add/edit/delete lists and libraries as well. while when i create a new site i grant members "Contribute" permission instead.

2. Additional columns for the lists/libraries are been added on the list level and not on the site level. also no custom content type is been created. while when i create new column, i always add it through a custom content type at the site level..

3. Also the defualt settings for the sharing are been left without modification, so any site member can share a single file with internal users, and even share with external users. this has a problem of exposing data to external users + this is causing unique permissions to be granted to single files and pages.  While when i create a site i avoid allowing end users to share single files, and i always create additional lists/sites to manage data for a group of users, rather than doing this on single files/pages basis.

Now when  i work on a new tenant i always set a general policy with the customer as follow:-

1. if the company is looking for a long running site, where best practices must be implemented and security is been managed in the recommended way, then those sites should be created by users who have sharepoint knowledge. these sites include ; HR, Finance, Home site for the company, etc..

2. if the purpose of the site is to share files and data for a short period project, then users can create their own sites. but those sites can not be supported by us (we are a company which provides sharepoint implementation). becuase as mentioned in the above 3 points, 99% of the sites created by end users (non-SharePoint experienced users) do not follow best practices when modifying them and when managing their security.

i am sharing my above general policy to get any feedback, as officially there is not any policy mentioned, and it is left to each organization to decide its best policy. but i set the above policy based on my experience and observations .

So can anyone advice on my above policy? and does it sound valid?

Regards.