You've made this both clearer and less clear to me at the same time.
What I'm reading in your reply is that customers with an external (non-MS) security gateway (foobar) may have an ingress MX record of contoso.foobar-services.net. That is then configured as a connector in the MS365 tenant. To avoid bypassing the foobar email security gateway, MS365 customers/administrators can use the RejectDirectSend setting to make the contoso-com.mail.protection.outlook.com inert to inbound email.
Assuming I have the above right, this part makes sense.
What doesn't make sense is that NONE of the above touches on emails specifically with a sender domain of contoso.com- if the above logic is desirable, SURELY that is desired for ALL mail and NOT JUST email sent claiming to be from contoso.com.
Again, Microsoft REALLY needs to clean up their communication to customers here. I agree with the other comments around the importance of the reporting.
If I'm now understanding what you're saying correctly - for an environment like mine, where we use the default FQDN given to us by EXO in our MX record, using the RejectDirectSend setting would be disastrous for mail flow.