# Prevent Script Injections I have not tried these rules.
For rest all, I can assure that everything seems okay to me. However, few are not necessarily required.
# Disable directory browsing
It will prevent listing of your internal directory. This rule is pre-configured at Cloudways, you don't need to repeat it. Want to give test? You may check browsing any folder
I am sure, It will not list any single files and folder on the screen.
# Disable access to wp-config / php.ini / .htaccess files
At Cloudways, I found only need of protecting php.ini for preventing directory access, rest all seems pre-configured. Generally, WordFence plugin add php.ini, as you said you are not going to use this plugin. So, you can ignore using this one. Just my opinion. As I am in more favor of less code.
# Disable modifications to wp-admin / wp-includes folders
This might be really helpful, in order to protect core files. It is recommended at Codex too.
# Disable xmlrpc (if mobile wordpress app or pingbacks not in use to access wordpress admin)
XML-RPC, you may need if you use JetPack or WordPress app. If no need, it's a good idea to disable it to prevent brute-force attack.
# Prevent Username Enumeration
I have not tried this. Rather, I can recommend keeping strong username & Pass.
# Restrict PHP
No idea about this. Rather, I have been using a similar rule
deny from all
You may place in directory
Uploads directory is basically for images. We may restrict execution of PHP files inside it.