Is there a method to disallowed_urls instead of allowed_urls?

I am learning about creating a policies for an API and get a question why there is an allowed_urls and no disallowed_urls and If there another way to define the disallowed URLs I will be happy to know it

There isn’t a field defined to disallowed URLs.Your best bet would be to negate regular expressions. You can find more on this topic