What is the best practice when it comes to enabling the "Default Access Protection" ? Is there any case where it is required to be disabled other than during the new software installation?
I have found VSE and Access Protection to be extremely reliable and have Not 'had' to disable AP, ever. This includes recent and unintentional, customer initiated Windows 10 upgrades (with compatible VSE version and patch already in place).
Once, I had a problem with a program installing correctly, nearly 10 years ago. The issue had to do with MDAC and .Net Framework Services. The (uninformed) support technician with the (unspecified) company who makes the software took the obvious position blaming everything but their own software and installer. To placate the technician, I had to completely remove VSE and all remnants, etc. The installer still failed. After many other issues were identified with their software, a newer installer with a modified MDAC and .Net Framework Services was needed to complete the process. (This became the next version distributed by this vendor.) Since then, no problems. VSE has not interfered with subsequent updates since that time.
Though this is just an anecdotal example, my experience has been that one of VSE's strengths is AP. Look elsewhere for problems. In my humble opinion: Leave AP alone even during 'New software installation.' This has been my mode of operation for my Customer base, for years, without issues.
So, my Best Practice would be: Leave AP enabled even during New Software Installation.