There's a lot of things that mod_security can do to help protect a website, but it does use resources (just like any software running on a machine).
If you're using an enterprise grade firewall on a separate machine prior to the user ending up on your phsycal device, then often the work is handled by those machines and you can safely disable mod_security on your individual server (or on a domain by domain basis).
Disabling as a general rule is not normal from what I remember. There are places like Kinsta and WPEngine that disable it by default, but they've offloaded the protection to a separate firewall.
I guess it will depend on how your security is setup, and what you're using as a firewall before hitting your physical machine. The VPS machines that I currently utilize still have mod_security on them, with explicit instructions based on what the machines are designed to do.
We've not had issues with resources, but then on the VPS machines, they're not configured for heavy loads either. Sites with heavy loads are usually shifted off to other locations, utilizing load balancing etc, and at that point utilizing separate WAF systems that negate the need for mod_security.
mod_security itself is designed to detect certain rules and then act upon them. Usually you design it so that it prevents certain situations rather than specifying all the things that it CAN do. As a result, the load impact is usually minimal as it's only looking for things that it CAN'T do, similar to what a software firewall (ConfigServer Firewall for example) operates.
ModSecurity is used by most professional hosts. It is almost an industry standard now due to it being flexible and customizible . Though, there are no fixed rules but I would recommend you to have a look at : https://www.modsecurity.org/rules.html