I have tested the use-case that you mentioned where deployments are made on an OU having only OUs as children but no accounts. However, I haven’t received any errors as such by doing so. Moreover if one or more child OUs are actually empty in the specified OU, there will be no errors thrown by CloudFormation and deploys to OUs that have accounts. (If auto deployment is enabled, for any new accounts added to the empty OUs targeted by the StackSets, a CREATE stack instance operation will be initiated).
Finally you can make use of Account Filter Type while deploying to have a much better control on deployments to limit deployment targets to individual accounts or include additional accounts with provided AWS Organizations units (OUs) with your Create, Update, or Delete operations.
Delegate SCP administration of specific OU to IAM role of a member accountasked 24 days ago
SCPs - conditions for a specific OU?Accepted Answerasked 3 months ago
AWS Workspaces - moving between OUsAccepted Answerasked a year ago
account move in different OU, impact on TGW or SubnetsAccepted Answerasked 2 years ago
AWS SSO - what OU/account to use?asked 7 months ago
Updating/deleting stacksets deployed in OrganizationAccepted Answerasked 3 years ago
Control Tower that the parent organizational unit is not enrolled in AWS Control Tower, when it isasked a year ago
is it possible to creating Control Tower OUs programmatically with selected guardrails?asked 4 months ago
Best practices to deploy GuardDuty, Macie, Sec Hub and Config in a Multi-account environment?asked a year ago
Deploying StackSets to OUs with nested OUsasked 9 months ago