As a followup to this for those that want the full picture.
We will have multiple VDOMs on the main Fortigate with matching VDOMs on the branch campus Fortigates (employees, residents, clients). This traffic should remain separated, so we're using EMAC VLANs and assigning each EMAC VLAN to the appropriate VDOM. Then the default route for the branch employee VDOM is the employee VDOM at the main site, the route for the branch resident VDOM is the main resident VDOM, etc. If you've done a design like this before let us know your experience.