MicrosoftChiming in here as this is something I've had to deal with personally. I wanted to make sure apps continue to get updated, included non-provisioned inbox apps that we don't explicitly add to Intune, because there have been security vulnerabilities in them. We want to block the store itself, but we still want the apps to update.
Get-CimInstance -Namespace root\cimv2\mdm\dmmap -ClassName MDM_EnterpriseModernAppManagement_AppManagement01 | Invoke-CimMethod -MethodName UpdateScanMethodPersonally, my problem with all of this isn't the store itself, or the business store, but just the AppX model. The architecture behind modern apps is just awful, filled with privileged escalations all of the place, multiple locations where files are kept, inability to remove an app if it's lodged in profiles etc, it's just an administrator's nightmare. Add in any sort of change - like what this is all about, and go figure, people have problems because it's already a difficult ecosystem to support and manage to begin with, and it's just unnecessarily complicated, filled with gotchas.