You never “allow” each and every connection for the browser. You allow everything for the browser and let blocklist do the magic of blocking spam/ads domains. In addition, use ublock.
for individual apps, allow the domain of the app and block everything else (one filter). That’s all. I never spent time on looking at each connection. Only time that happens is when I install a new app and it takes 30 seconds honestly.
blocklists. They stop everything by default for all apps.
