Default connection profile - allow disable/move or modify behavior to never determine whether a connection succeeds

[E-ThanG]

Is your feature request related to a problem? Please describe.
I've often found that when I make a misconfiguration the default connection profile can let the connection succeed. In some cases it turns into a fail-open type of scenario.

Describe the solution you'd like
Either of these options would be good:

1. The default connection profile is allowed to be moved around. If I place it at the bottom of the list I could add a default deny rule prior to it so that the default rule would never come into play. I don't see why we need a default rule that is permanently fixed to the top of the list. Cisco ISE also has default policy that can't be deleted, but it's at the bottom of the list and all the custom rules go above it.
2. The default connection profile is able to be disabled or deleted.
3. The default connection profile is mostly unchanged, only the behavior is modified to where it can never be the profile that makes the permit/deny decision. It's just there for sub-profile inheritance. This might be a breaking change for installations that rely on the default profile though.