Hello,
Thank you for posting in Q&A forum.
As a support engineer instead of a architecture, I would recommend you follow the principle of least privilege.
For safety purpose, you can separate exchange hybrid into a single vlan, and only allow necessary traffic between other vlans. In this scenario, it will have least access to any other sensitive resources.
Hope this answer can help you well.
Best regards,
Jill Zhou