How the OT devices (Printer, TV, etc…) can bypass the zscaler and go to the internet directly?
By not installing ZCC on these devices (if/when they have that option at all)
By not using pac file nor static proxy config pointing to ZScaler
By excluding the source IP (ranges) of these devices from being sent into IPSec/GRE tunnel you have to ZScaler.
As long as you carefully design esp. your SSL Inspection policy though such devices can also communicate with their home bases via ZScaler (there are corner cases of course)