In BW you will definitely run into problems as they use this generation feature. They sometimes add table contents which are client specific, even if 000 covers most. It is a lesser evil and DDIC is consistent.
For upgrades DDIC will need SAP_ALL. Do not try it without SAP_ALL and it must be done as DDIC.
The role for DDIC ends up OK if you clean the jobstep users as it has no tcode access and switch user type to SYSTEM so no SAPGui or debugger can be attached. But you need a process for upgrades for the basis team (unavoidable).
So you at the end of the day must have a process for managing the password of DDIC. This is set during the installation now since 7.00 but must be managed (and changed) -> otherwise "noise"...
Cheers,
Julius