It's sort of a catch 22, none of the options are all that great.
If you put the negate rules above user rules with quick on, then all internal hosts can reach all hosts on the VPN - many people don't want this.
If you put the negate rules above user rules with quick off, a block rule or other rule that matches can make them be skipped entirely.
If you put the negate rules below the user rules with quick on then user rules with a gateway set wouldn't be bypassed.
Best way is always to use your own negate rules.