I am going to provide some guidance based on your concerns/questions in order:

Try to look at options.
lets say you have a SGT for headless devices - cameras, HVAC, badge readers etc. So are you saying that create a VLAN/subnet for each of them ?
-This depends on your requirements, and on how you build out your VNs in your fabric. A few things to consider are:
Do you want the "headless" devices in the same routing instance? Do any of these devices need to communicate east-west? If they do, I recommend keeping them in the same IP pool with one SGT or multiple IP pools with several SGTs, but in the same VN. Splitting these devices up into separate IP pools and separate VNs would mean that in order to communicate you would have to leak the traffic at your fusion/s router. The more you split them up IMO then you may face more admin overhead from a trustsec/route leak perspective.

So, then what do you put as the default VLAN on a switch ?
DNAC will automatically deploy the default data and voice vlan. Right now the default data vlan that will get provisioned to your edge nodes will be 2047 and the default voice vlan is 4000. You can create templates in DNAC to modify these configs, but note that every time you provision you will have to use the template again as the configs will get overridden. I believe Cisco is working on allowing engineers to create their own "closed auth" template that you can use to provision all nodes.

Do you split the ports between these VLANs/subnets ? or use a default VLAN/subnet, and then let ISE do the VLAN change after profiling ? In the past, VLAN change was not advised due to some clients not doing well after a VLAN change ?
I would rely on ISE to push policy to your SDA fabric. This process will be similar to policy push in a legacy environment. Note that you have the option to statically configure ports in DNAC for their respective VN, IP pool/SGT. Your ports will have the Cisco DNAC "default" configs based on the DNAC Auth Template you decide to use. In order to make changes you will need to create templates as mentioned earlier.

Same thing with windows machine - if it has not done a user auth, then machine auth happens and you assign lets vlan X, then the user logs in and you determine he is part of specific SGT group, then you have to move the user to a different VLAN/subnet and the ip has to change.
I would recommend using DHCP since it seems that your intention will be to move the workstation/user based on different eap-chaining results.

Is there a trade off there ? in some cases especially with a PC, why not keep the same ip /subnet and not change even if they change SGTs membership.
Perfect example IMO: Let's pretend you are using Cisco AnyConnect NAM to accomplish both user & computer auth via eap-chaining with eap-fast. Upon successful computer + user authentication/authorization you move them into your core business network (VN/IP pool/etc.) that may have internet access, which is required per business policy. Then once the user terminates session the eap-chaining result would move to computer pass + user fail. This is where you could move the computer to a restricted network that has access only to internal resources (WSUS/DC/SCCM/etc.). Benefit here would be that your hosts would not always be internet accessible increasing security. Obviously from an SGT perspective maybe you want users to have the ability to go east-west, but at night when nobody is present you want the computers to NOT have the east-west ability which you could enforce with different SGT and IP pool move. Anyways, your last question is a design/requirement decision.
Good luck & HTH!