New capabilities that help proactively secure data with Microsoft Purview Data Loss Prevention

Steven Choy You can achieve that through a custom OMA-URI policy in Intune, if you were not aware. You can read up on it here, this will solve exactly what you're looking to do. It includes setting the default policy to deny, building a list of trusted USB types, setting a specific group to having different access, and some other examples as well.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/deploy-manage-removable-storage-intune?view=o365-worldwide#deploy-removable-storage-access-control-by-using-intune-oma-uri