I'm sure this is a dumb one.

Our setup:

"primary" tree has eDir to eDir driver

Which syncs to a Vault

Vault has eDir to eDir driver (sync back to Primary) as well as eDir to
AD driver.

In the Primary tree, there's basically three UP policies:

1) Default User
2) One for "special" service accounts so their passwords do NOT change
3) The IDM policy (the one you cannot touch/edit)

If I make a change to the Default User one (ie, let's say remember
password for X days or do Case Sensitivity), do I need to also adjust
the one for the Vault?

Nobody authenticates to the Vault (except for an Admin account).

We sync passwords one way from eDir to AD (we don't sync from AD to eDir
for passwords)

Technically the eDir to eDir is setup to allow bi-directional password
sync, but I don't think we've ever used that sinc shutting off AD to
eDir password syncing.