I always build my side as route based. They make the routing table neater and I can pick up those static routes to the remote site vpn and redistribute them into OSPF for use by the other sites on the internal network.
You have correctly identified the issues.
I create a separate tunnel interface where all the policy based vpn connect using multipoint. Then add the nhtb entry for each new site. This tunnel interface only needs to consume a single ip address as it never has to neighbor to anyone else.
I'll then use a different subnet for the hub tunnels for the base network.