Allright it took time to figure out myself but here is the gist (for someone who may have same questions) - I hope I got it right.
With smb acl I think I understand that in most cases scenarios I just leave it as @everyone FULL ALLOWED, so unless there is something wrong with that understanding we can leave that be.
Yes this is ok as long as the filesystem ACLs are set properly.
I have a samba user (smbusr) and I have an application (apps group). I want to write files to a dataset (dataset1). I set the ACL owner smbusr user 777 and group as apps 777 and other to none.
Is there something wrong with this? If so what would be the recommended setup?
Yesn’t. This is totally valid and I won’t loose admin access because the TrueNas gui uses elevated access (basically trueNAS admin in gui is op). But…
I read in documentation that I want to have admin user and group as owner. Is there any issue if I don’t have the admin user there?
it is recommended to set owner user and group to trueNAS admin to have the ability to “admin” this though other means. Even if that is not forseen, I found out this is recommended best practice. So in my case I had to set up truenas admin and group as owner and separate ACL access for the smbuser and apps group (and appropriate mask which is obligatory if cusom ACL are created)
Default acl: 3. Do I understand correctly that what I set to default acls is what will be set to new files/directories? So If I set user: abcd it will always have owner user abcd regardless by whom it was created?
Yes and no. Yes - what is set as default will be set to children files and directories, but No - it doesn’t apply for owner user and group. Owner will be always user and group who created it. To set permission for this unknown future owner I need to set default ACL for the dataset to User Object and Group Object.
Root dataset: 4. I know I can not edit permissions for it, can I somehow create smb access to root so that I can read and write? Because I as administrator want to be able to just mount this root dataset and do whatever I want - e.g. copy app configs from my previous nas (omv) or add media or whatever.
It is possible to set smb share to root, but it is not recommended and it has some issues (I didn’t find what exactly). It is possible to connect to “root” via File explorer in windows and on Linux with Gnome Files - simply go to network and find the truenas (may be also under truenas.local). This is not really connecting to root, but rather getting list of available shares - for given user. It kinda behaves as if I am in root and browse directories.
It is not possible to do this with automounting on Linux however. So I had to setup automount for each separate samba share.
Thank you
I am welcome 
