Hello,

You can block downloads in SharePoint Online and Ondrive ,

-Conditional Access Policy 

Control access from unmanaged devices:

https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices?redirectSourcePath...

Microsoft recommends you protect content in SharePoint sites with sensitive and highly-regulated content with device access controls. You do this by creating a policy that specifies the level of protection and the sites to apply the protection to.

• Sensitive sites: Allow browser-only access. This prevents users from editing and downloading files.
• Highly regulated sites: Block access from unmanaged devices.

See "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices.

@George Smyrlis 

MCAS cannot enforce session policies on desktop/native apps. Session policies and controls (including block downloads) are limited to browser sessions only. This is documented at: https://docs.microsoft.com/en-us/cloud-app-security/session-policy-aad

For native/desktop apps, MCAS can allow or block access completely using a CAS Access policy but this does not allow granular control over activities.

A typical implementation in a scenario where one wants to limit downloading of files for users on non-compliant or non-hybrid joined machines, is to have a CA policy in AAD conditional access to forward sessions to CAS (using the 'use custom policy' option) and a CAS access policy to block desktop/native apps (and force users to web-apps) and a CAS session policy to block/control downloads in these web-app sessions.

@George Smyrlis