Not sure if I understand it completely but I will give it a try
Surebackup is used to verify your backups. I would advice you to create some of these jobs for your critical VMs (to test if they can be booted and with additional scripts to test the inside workload also). I would also advice some sort of a rotation for the non-critical VMs so you can at least test those at a regular interval also. So surebackup is NOT a backup job, it is a system to verify your VMs. (And can be used also as a system to test patching, updates or train new administrators or something like that)
With our application-aware setting, it is not only for VSS. Our AAP is more advanced. So if it is your own environment, I would certainly do so.
For deduplication: I actually would put them together in the backup job so you have deduplication per job on your fast storage to save on storage. If I understood correctly, your backup copy job will land the data on a duplicating storage so it is over there that you could benefit from per-VM depending on what you try to achieve
Optimal for compression and dedupe: It depends on where you are storing the data and what you want to achieve. If it is local disk, this will give you the best ratio between backup time and disk savings. But maybe you prefer storage savings over speed so you can choose high or extreme.
No need to decompress in that last scenario, but be aware that windows dedupe in 2012 R2 can cause issues with larger files, so in that cases make sure you do per-VM to keep the VBK files smaller (2016 dedupe is better, but still can have that large file issue so the advice remains)