That diagram is pretty good.  So it looks like if no IPS and no file policy is selected then it appears NAP is the only difference.  Is it safe to assume that SI comes before any type of ACP rule and therefore is applied to all traffic before any rules at all are tried to match?

There is a good thread that also have how packet flow takes place in more detailed :

https://community.cisco.com/t5/network-security/firepower-network-analysis-and-intrusion-prevention-policy/td-p/4408916

That diagram is a bit more challenging to decipher than the first one you suggested.  Looking at the SI (IP) module it  appears that it takes input from both the DAQ and the ACP but how can we tell what ACP rules are feeding SI?  Do trust rules feed back into SI?

Security Intelligence (assuming it is configured) will be enforced whether or not a given ACP rule (aka "L7 ACL" in the flow diagram in the linked thread) has an IPS policy, trust rule or something else. The idea is that SI eliminates the need to further analyze known bad packets before handing off to the more computationally intensive subsystems.

Page 128 of this Cisco Live session confirms SI is applied to Trust rules.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSEC-3300.pdf

Thank you!

yes, that is a good presentation, i was afraid to offer that link, sometimes people do not have access to cisco live on demand.

Hope you have cleared your doubt now.

yes, thank you!

I would say yes but if you are going to run your public IPs thru the FPR1010 (routed mode) it would mean you would also have to NAT the 2nd IP to the outside interface/IP of your 2nd firewall which would have a private IP.  I would try to avoid the double NAT if possible.