I thought that mod_security is a front-end to web server applications, I mean that all client requests pass through mod_security and if itīs not blocked then mod_security pass to apache (or other web server application as iis or nginx) except response headers, in that case, mod_security gets web application server response and scan response headers, so mod_security acts as a door between client requests and server response scannning in both directions before pass http/s traffic:
In vhosts directives, I have never seen mod_security customized rules except to module disabling but I could be wrong and someone write specific rules for a specific virtual host.
In servers I manage, I only have general rules applied to all virtual hosts except disabled ones.
Some weeks ago a client triggered mod_security rules because of content management systems method and http version. I ask him to change get to post and use latest http version (1.2). If you are right, I should be able to develop own rules for that virtual hosts to allow get method and http 1.1 version.