Is the Profile suitable for local enterprise use?
No. See Section 1 of the Profile, under “Relationship to institution-specific MFA signalling needs”. In general the Profile is not suited for use locally for the reasons noted there. Defining a local signal for one’s own policies around MFA is a better approach.
How should "Exceptions" to MFA Policy be handled?
Exceptions are not allowed by the REFEDS MFA Profile.