We are currently using such an ACL.
However it creates difficulties and problems.
Any time a new interface is added to the controller, it should be added to the ACL also.
Furthermore adding the ACL to the uplink port is not enough. It should be added to all active interfaces and roles such as wireless or vpn roles.
Last but not the least important problem is; the requirement for firewall licence. Such ACL is only possible if he controler has firewall licence. It is not a good idea to need firewall licence just to protect the device itself, in situations where firewall for the users is not required.