I think pcr 7+8 (for grub) or pcr 7+12 (for systemd-boot) should be okay. The more pcr you add, the higher likelihood you need to re-enroll after updates.
https://www.freedesktop.org/software/systemd/man/systemd-cryptenroll.html
The reason why using your own keys can be a problem is if you exclude the Microsoft certificates, then oproms from graphics cards stop working. You have to add the Microsoft certs after using your own key for the top level platform key.
For Debian, if you use out of kernel modules like Nvidia, you have create signing keys and edit a config file so dkms to sign those modules for those modules to work with Secure Boot. Instructions are on the Debian wiki.