I would recommend separate salt masters for prod and everything else.
Dev: stuff under development from checked out files under git in various environments, stable stuff from gitfs. Preprod salt master.
QA/UAT: everything from gitfs master branch base env. Preprod salt master.
Prod: everything from SPM, promoted to prod by SPM build jobs at the end of QA/UAT. Prod salt master, -w- pillars under secured source control.