It should be an allowlist, not a denylist, given how much there is.

Here's the full (current) list just to show the sheer insanity of it:

   allow="accelerometer 'none'; 
   ambient-light-sensor 'none'; 
   autoplay 'none'; battery 'none'; 
   browsing-topics 'none'; 
   camera 'none'; 
   display-capture 'none'; 
   domain-agent 'none'; 
   document-domain 'none'; 
   encrypted-media 'none'; 
   execution-while-not-rendered 'none'; 
   execution-while-out-of-viewport ''; 
   gamepad 'none'; geolocation 'none'; 
   gyroscope 'none'; 
   hid 'none'; 
   identity-credentials-get 'none'; 
   idle-detection 'none'; 
   local-fonts 'none'; 
   magnetometer 'none'; 
   microphone 'none'; 
   midi 'none'; 
   otp-credentials 'none'; 
   payment 'none'; 
   picture-in-picture 'none'; 
   publickey-credentials-create 'none'; 
   publickey-credentials-get 'none'; 
   screen-wake-lock 'none'; 
   serial 'none'; 
   speaker-selection 'none'; 
   usb 'none'; 
   window-management 'none'; 
   xr-spatial-tracking 'none'",

the problem comes when you decide to make a rule for something that was already possible before. let's say you have your deny-all set up becuase you want none of those. and then they add a rule for right clicking (just a silly example) and suddenly stuff breaks

Yes, it's a problem. That's why such lists must be deny all by default in the browser, and you only set allow lists for the stuff you want.

Why would it be a compatibility issue? Every time one gets added it will presumably be added to this list. In fact once you get your embed working with some set of directives you want to say "I will never need more than this, deny anything new."

Is it not possible that they decide to add something as configurable that is currently allowed everywhere? As an analogy, when Apple decided to make the ID of a user opt-in.