You’re correct to say that the use of explicit proxy (PAC file) will mean that the traffic will use TCP which is sub-optimal for Teams traffic. This is called out in MS blog here:
Even if an explicit proxy (PAC file/ZApp) is set on a client the Teams / Skype for Business (S4B) will first attempt to connect via the more optimal UDP ports, and if those are unreachable it will look for less optimal methods such as explicit proxy via TCP.
Fortunately with Zscaler Internet Access you are able to combine explicit and transparent traffic forwarding methods. Therefore the recommendation for Zscaler customers using Teams / S4B is be to ensure that a) clients can DNS resolve internet addresses for Teams / S4B and b) there is a suitable path for Teams UDP ports to get out to MS. Then the best way to secure this UDP traffic with Zscaler Internet Access is to ensure it is captured by a GRE or VPN tunnel (setup following Zscaler tunnel best practises of course) that forwards to the nearest ZEN DC. In order to get full visibility and control of this UDP traffic customer can use the Zscaler Adv. Firewall (note: When the O365 One-click option us enabled this also sets up a firewall allow rule which will ensure the UDP traffic will also be able to egress via Zscaler)