Is there a downside to always updating DNS from DHCP?

Is there a downside to selecting Always dynamically update DNS A and PTR records?

It depends on what you want to do.

By default, a Windows machine will speak directly to DNS and update its own A record, and it will ask DHCP to update the PTR record.

By enabling Always dynamically update DNS A and PTR records you are telling DHCP to update both records even if the client only asks it to update the PTR.

What's the difference between that and "...for DHCP clients that do not request updates..."

The NT 4.0 example isn't so relevant these days, so consider a mixed environment where you have Windows and Mac (or Linux) clients.

The Windows machines handle their dynamic DNS updates (or they ask DHCP to do so).

But the Mac/Linux clients do not. This option allows DHCP to create records for these machines which do not or cannot request dynamic DNS updates.

Some things to consider:

• You should create a dedicated, non-privileged AD user account for DHCP to use for dynamic DNS updates, and add it to the DnsUpdateProxy group (this is especially important if DHCP runs on a domain controller).
• DHCP always registers the name reported by the client, even if you set up a reservation. If the client reports a name different than the one you set in the reservation, the reservation's name will be overwritten.
• Dynamic DNS records set via DHCP will have a timestamp set on them. You should properly set up DNS scavenging to delete these records, even if you have DHCP set to remove records when the lease expires (it's good to have that on, but there are many cases where this just doesn't happen).

Regarding the use of DnsUpdateProxy group, it is my understanding that only the DHCP Servers should be member of that group, not the dynamic DNS update user. The user account is supposed to be added to the DHCP server configuration, not to the DnsUpdateProxy group.

The DnsUpdateProxy group is for DNS Clients. The user is not a client, it is a mechanism used by the client (the DHCP server) to make dynamic updates to DNS when you have secure updates only turned on. The client remains the DHCP server.

https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-dnsupdateproxy

When the DHCP server is on a DC, in addition to making the server member of the group and adding the user to the DHCP configuration, you also need to set OpenACLOnProxyUpdates off. If you don't you are adding a vulnerability, because membership in the DnsUpdateProxy group gives too much authority over the DNS records.

Some schools of thought suggest that DHCP on a DC should not be member of DnsUpdateProxy, and only should have the DNS update user assigned to DHCP. That may be true for older Windows Server but for 2012R2 and later, the sense I have from the tech docs is that the server should still be in the DnsUpdateProxy group, but because of being a DC, that group membership's permissions opens up the vulnerability.

So, if you have DHCP on a DC with secure dynamic DNS update enabled, you should also run this command on the DC that is running DHCP, so its DNS won't allow "foreign" updates to change records owned by DHCP:

dnscmd /config /OpenAclOnProxyUpdates 0

Bottom line - the DnsUpdateProxy group is not for any user object - it should only be used for DHCP server objects (DHCP clients), and is primarily intended for the "best practices" of having your DHCP server on a non-DC server, to impart the necessary permissions to dynamically update DNS. Adding the secure update user to that group serves no purpose.