Hi,
There are pros and cons to both approaches. I take the view that it is dependent on the change & you'll struggle to find an authoritative documented source on it.
As you are using derived roles then absolutely transport everything if you add/remove a transaction or change an auth field value. If you don't your derived roles will get out of sync and you'll start getting error flags.
If you are just changing an org level then you are not affecting any of the other roles that belong to that parent. Transporting the single role is more than acceptable. Your current process won't cause any harm but it will take longer time & depending on your release there may be user compare shenanigans required.
Cheers