Can I just check - when you say multi site, you mean 'Splunk Multi-site Cluster', rather than 1 cluster, simply running across multiple sites 🙂
I am assuming the answer is yes..

Have you configured site replication to unburden the small sites with multiple copies of data from the larger sites - this is not an answer to your specific question, but it might buy you some time.

On a previous deployment, I discovered that whilst you can not set a site to have 0 copies of another sites data, you can 'imply' it:
Assuming 5 sites: 3 big ones (s1, s2, s3), and two little (s4, s5):

site_replication_factor = origin:2, site1:2, site2:2, site3:1 total:5

Will mean that your small sites wont get replicated copies of sites 1-3's data, but they will always hold two copies of anything indexed locally. I cant find anything to say this is an officially supported approach, but the documentation does say:

..., the replication factor ... is not a
requirement. An explicit site is a
site that the replication factor
explicitly specifies. A non-explicit
site is a site that the replication
factor does not explicitly specify.

Which I read as "meh..it should be ok"

edit: added link https://docs.splunk.com/Documentation/Splunk/7.0.1/Indexer/Multisitearchitecture

I'm not sure option 3 would work, and I very much doubt that it would be supported - A cluster works on the idea that an entire indexes data exists in full in at least 1 other location - If that location has differing bucket life-cycles, then your remote site is not upholding its end of the bargain.

For the pain and problems you could otherwise be facing, could I offer option 4, which would read 'add more disks' ?
I know that is something you have probably deliberately omitted, but I cant help but think it would be your path of least resistance (until you submit a PO, anyway)

I forgot to put the specific change, need for change here: the 2 smaller sites in question have smaller hotwarm disks, so the change would be hotwarm to cold rollover based on size (maxVolumeDataSizeMB).