I think you need to have a broad understanding of Jira permissions, so you understand what access a user has in comparison to the application itself. With that, you will understand the various access a user has and know exactly what access they do not need. Jira as a whole is a powerful tool but bad configuration could lead to an administrative nightmare.

After you've understood the above, then you can move into the Jira application permission level and check on your Global permission first before moving to the permission schemes of your project. You should examine every level of the Global permission to ensure that the groups mentioned there are valid and are the only required group allowed for each of the permission listed. After evaluation, move to your permission scheme and based on your organization's requirement provide or revoke access to what each user group or project role associated with the permission scheme can perform.

The best practice starts with performing some housekeeping of your configurations, ensuring that each component within your organization profile is kept in order. You need to perform this review constantly so you don't get an overhead in tasks which might become costly(security breaches) to your organization.

Now to your questions,

• Inheriting a bad configuration really doesn't matter now that you're administering it, what matters is whether can you fix the problems you've discovered or are about to discover.
• Start first with understanding the permission levels or privileges of a user in the Atlassian cloud in regard to the various application. Each product access you provide costs license seats, so probably you want to evaluate how you provision your user access to the application. 

Once you've done that I believe you'll get a clearer picture of how you want your users administered.