AM deployment model

on what grounds should we base our deployment decision between separate and shared identity stores?

Greetings 4410488.
( I have to admit I never want anyone referring to me as a number)

I offer some opinions for you. Be informed that my experience in deployment of these services (and competing services) spans 3 decades.
I quite like the fact you have raised this question. As I have no idea of your background or experience, I must ask, do you know the Deployment Guides and Installation Guides of all the products you are using in your solution? They can be found here:

Such background information is essential to assist with useful responses to this question.
Superficially, I submit the argument that if the Identity Store is additionally accessed by additional clients beyond AM and IdM, that I would tend to lean towards separate stores. Segregation of data, simplified access control rules, and load would be some criteria worth consideration.
The Shared Identity Store has an enhanced schema in support of IdM. I would further worry that this implementation of the schema may be the target for management outside of IdM. (IE: an overzealous admin with apache directory studio)
Similarly, should the store be strictly accessed by the platform, that the consolidated Identity Store may be of value for simplicity of the deployment architecture sake.

The nice thing about opinions is that everyone has one… I am hopeful some competing posts are provided to assist you with this architectural and deployment question.