Hello @olguin - below are the permissions that I would not enable - 

• Account-level settings - manage
• Data Services - manage
• Storage Quotas - manage (We do not change this - everyone gets 500MB. We ask for OneDrive be used for Files and Studio/ Stream for media content (i.e., larger files))

I recommend creation of guidelines ahead of enabling 'Admins - add/remove' and 'Permissions - manage'. For certain, everyone would need to be on the same page with assigning permissions. To share, we follow the least access privilege model which is partly explained here:

• Restricting access: Users and processes should only have access to the data, resources, and functionalities they need to perform their designated roles.
• Just-in-time privileges: Elevated privileges should be granted only when and for as long as they are required, then revoked.
• Separation of duties: Tasks should be separated and performed by different individuals with distinct roles, further limiting access.
• Auditing and monitoring: Regularly audit and monitor admin access to ensure compliance and identify potential issues.

I would also implement a shared change log where all subaccount admins documented notable changes to the LMS. For example, installation of an LTI to the subaccount, system settings changes, etc.

References: 

https://community.canvaslms.com/t5/Canvas-Resource-Documents/Canvas-Account-Role-Permissions/ta-p/38... 

https://csrc.nist.gov/glossary/term/least_privilege