@AnttiLahti-8160 The important thing about OU filtering is that new OUs that are created after filtering has been configured are synchronized by default. So you would have to go and manually uncheck the new OU to stop them from syncing.
Coming to your questions :
1) If you turn on Device Sync, the computers which are present in the OU which is allowed for sync process should only sync. Any machine which is not in configured OU, will not be synced. The whole purpose of OU filtering is to allow Admins to select what they want to synchronize. You can read more about it here.
2) Can you share some of those recommendations, we will investigate them. Again, syncing any devices should be in control of admins. OU filtering definitely helps here.
3) If you have a restricted network which does not allow anything outside on-prem access, you can skip those machine as doing hybrid AD join would not be preferable on those machines. The whole Idea is to get Azure AD token for those devices, but if we already know that they have such restricted network, you can keep them in an OU which is not getting synchronized.
4) If you remove the SCP from AD, the sync for devices will obviously fail as that will not meet the basic pre-req of finding a location where the devices needs to be registered. This will keep on showing error messages in our azure AD connect tool. Best way would be to uncheck Device Sync (Hybrid Azure AD join) by running the config wizard once again.
However, if you want to sync your machines, our suggestion would be to troubleshoot the sync issues as we come across them. A good start to troubleshoot hybrid join issue can be found here.
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.