First question - It really depends on what you are trying to protect against. If you need more than Microsoft's defaults to address a risk scenario, yes, you have to add policies and rules to address them. Do you have a specific concern that is not addressed by an MS default? If not, follow the security principle of "keep it simple" and use what Microsoft has provided.
Second question - The differences between standard and strict values can be seen here.https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for...
Microsoft's suggested use cases are:
Standard protection: A baseline protection profile that's suitable for most users.
Strict protection: A more aggressive protection profile for selected users (high value targets or priority users).