I mainly use in two limited modes.
Here, I give limited outside internet access to specific subnets. Access list is a hand curated list, mostly various auto-update CDN servers like windows update, and major CA operated OSCP servers to cover certificate revocations.
short hand curated list, unfortunately with some fantastically dumb blocks (blocking all .cn for instance)
in the past I did use the whitelist as a ghetto hairpin routing as a bad split horizon DNS hack, since end user browsers using WPAD via DHCP would favor the proxy’s DNS determination, which honors the local static hostname mappings. registered