Service Domain restrictions

I’m currently implementing an Endpoint DLP policy to enforce service domain restrictions. The goal is to prevent users from uploading documents to non-corporate domains and only allow uploads to a specific allow-list (authorized domains), we only use Microsoft Edge 

I have the basic configuration working, but I have a few questions about behaviors I’m seeing:

1. Dynamic Groups: Is it supported to use Microsoft 365 Dynamic Groups for the policy scope/assignment?
2. File Types: How can I make the policy target all file types? Currently, I'm managing this via a defined list of extensions, but I'd like to cover everything.
3. Copy/Paste vs. Upload (The main issue): When I drag and drop or use the "Upload" button from File Explorer to a blocked domain, the action is blocked as expected. However, if I copy and paste the file (or content) directly into the website, it bypasses the block and uploads successfully. Why does this happen?
4. Policy Activation: It seems documents only pick up the policy restrictions after they are modified. Is this the expected behavior?

Any recommendations or insights on what I might be missing would be appreciated. Thanks!