I believe that ideally the branch router should connect to the Main SRX and the Backup SRX separately. If the branch router connects to the backup SRX via the Main SRX, what would happen if the Main SRX malfuntions? You will lose connectivity to the backup SRX. Anyways, thats just my humble opinion.
Regarding your question:
I will go with Main SRX, this way you will filter/block non-desired traffic upfront. Besides, if you decide not to filter the traffic on the Main SRX and leave this task to the Backup SRX, the traffic will still need to be processed by a security-policy on the Main SRX (a sec-policy that will be permitting all the traffic).
Security-wise: non-desired traffic to be filtered as soon as possible.
Processing-wise: It makes no difference to the Main SRX, it will have process the traffic via security policies even if you deside to filter the traffic on the backup SRX.
I really hope this opinion helps you. Please mark my comment as "Solution" if it applies.