Well, keep in mind that the SEP client is able to belong to only one group. The policy has to apply to the GUP as well because the GUP has to be part of that group in order to serve the clients in that group. So, it won't be possible to add all the GUP's to one group as there can be only one GUP per group. Actually, let me correct myself, one GUP per group per location. So, if you really want to, you would have to break that one group down to their locations with a distinct LiveUpdate policy for each location. Then, you would be able to include all the GUP's in one group. The caveat is, the rest of the client base would also have to belong to that group as well. In this design, you would lose the flexibility of having different groups. Might or might not work for you. That's a design decision. Typically, I filter the groups into server and workstations and then below that the individual apps or other collections that require group settings. Then I would filter using location-based policies with the groups. I find that to have more flexibility than a traditional flat group design. Again, more of a design issue.
As far as GUP on XP, I don't see too much of an issue, except that you have to keep in mind that XP can only support 10 client connections at a time. To handle 250 clients, you'll have to adjust the randomization to a pretty high number. My experience with the randomization in previous versions of SAV were not pleasant, though I haven't had any issues yet with SEP. Can't say I recommend it though. For 250 clients, I would definitely look into the LiveUpdate Administrator. For SEP, you don't really need secondary servers. So, I would remove all SAV/SCS related installations on the Secondary server, install a regular SEP client on it, and then install the LiveUpdate Administrator. Then, instead of using GUP in the LU policy, you would specify the LUA server for that group/location. The thing I don't like about the LUA approach is that there is no centralized configuration for them. Each LUA server you spin up have to be managed and configured individually. LUA also have a tendency of corrupting itself. In my period of 6 month testing, I had to repair/remove the software 3 times. There's also no monitoring for that, so you'll have to custom build scripts to make sure that the service is healthy.