In my opinion, option 5 is the best (and only option) you can/should use.
You often have site 2 site VPN's with public IP addresses in the encryption domain, and these need to be excluded from the 'internet' object as well.Creating a group 'all_customerX_networks' and negating this in the policy never fails.
The natting policy would then contain a rule 'all_customerX_networks' to 'all_customerX_networks' -> no nat. Above, you can put all internal natting, below, you should put all Hide NAT rules to internet.
The moment security zones are permitted in the NAT rule, I will switch to this, but for now, I will stick to negating this object.