Simon,
Best practice is to have your policy types (Auth/Quarantine/Standard) grouped together, but that's just for optics reasons and makes it easier for you to move them around if necessary.
SWG uses these policies discretely, so you cannot override an Authentication policy by having a Standard policy above it, for example.
Internally, SWG will execute the policies in the following order by Type, then by priority based on the Top Down ordering:
1) Authentication
2) Normal
3) Quarantine
SI