Good answer. Since there is no definite rule were one can surely say that this is the best or worst because each person good and bad differs and I was looking for a hybrid, hand in hand AV and default deny protection approach thereby the system is neither too restrictive like lock down configurations nor all default allow which is the case of AV.Most malware is not signed. And most signed malware is not targeting home users. Furthermore, most signed malware will drop an unsigned executable at some point in the process.
So the short answer is that it is relatively safe to "Allow all signed processes" in ERP for a home user, but even so, it is better not to tick that setting. Even better is to cut down the list of trusted vendors to the ones that you really need.
But again, it's all a matter of how "paranoid" you want to be.
I too have a similar opinion that it is relatively safe to "Allow all signed processes". By doing that helps to reduce prompts considerably and in case that rare signed malware appear you need to trust your AV to do its job which is infinitely better than all default allow approach. What prompts will be the execution of unsigned file which must be dealt with out most caution anyway.