Are your 3 WAN interfaces all on separate ISP?
Basically, I would create a virtual router routing instance for each ISP with their own default route.
routing-instance NAME type virtual router
These will each have their own routing table so they can have independent default routes. You place the matching ISP interface here. By adding the interface to this virtual router instance. If you have a LAN segment then dedicated to this ISP you simply add their interface to this same virtual router. Now all is self contained and this LAN uses the ISP that it shares.
For the VPN you can have the tunnel interface where the decrypted traffic egresses in a different virtual router from the WAN gateway interface. So this gives you flexibility to have the IPSEC come up on one virtual router while the back end traffic is in another if needed.
Failover can be had by layering on ip monitoring to change routes when criteria fail.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25052&smlogin=true&actp=search
In this situation then you will also need to have the alternate route to the other virtual router in order to use the other ISP. For this you can use rib groups to leak routes between the two virtual routers or setup a tunnel interface internal to the SRX between the two routers. Or physically connect two ports on the SRX where one is in each virtual router.