Really good questions, unfortunately I don’t have elegant answers to either of them.
Deleting rules is a tricky one with AUTH0_ALLOW_DELETE=false. If we do major refactoring or end up wanting to delete a rule, we first disable the old rule and push that. Then periodically we delete the old rules from the repo and push again. Because of this flag being set, the rule is not actually deleted in Auth0 staging and prod, but once the config has been pushed successfully to these environments they are just deleted manually from the web interface. Not elegant, but it works.
As for backing up users, there is a bit more to the story. Turns out its not really possible to backup all users properly 
See Full backup of Auth0 users