We recommend to package entire application in the product rule configured for pipeline instead of delta. So that there will not be any confusion of deploying multiple artifacts because latest artifact is the only one you needed and importing delta will be taken care by pega platform.
You can split your pipeline into 2 pipelines. One is from Dev to QA and another is from Dev to Prod(higher environments). So that you can do any number of releases to QA using first pipeline and once you are ready for release to production then you can trigger second pipeline using "Deploy existing artifact" option by selecting latest artifact which will have entire application.
How do we address the risk of moving a non versioned rule from dev where a developer updated for testing purpose. For example to add a dev role for a manager, or updating dev access group on a service package.
In the product rule under 'Deployment' tab you have an option 'Bypass updates for class instances on import'. Here if you specify the classes then instances of those classes will not get modified post import for your subsequent deployments.