The vCenter Server must not override port group settings at the port level on distributed switches.
Port-level configuration overrides are disabled by default. Once enabled, this allows for different security settings to be set from what is established at the Port Group level. If overrides are not monitored, anyone who gains access to a VM with a less secure VDS configuration could exploit that broader access.
If there are cases where particular VMs require unique configurations then a different port group with the required configuration should be created instead of overriding port group settings.