What is the use-case to block all internet traffic except what you explicitly allow. Normally this is used for very restricted environments and for servers. I am sure that this will be very hard to maintain as websites are very dynamic and interconnected. Especially with all linking to social media, advertisements and analytics sites.
When security is the primary reason, I would even say maintaining a complex custom URL policy might even increase risks due to potential mistakes. This is why it more common to block the risky categories, inappropriate content and bad stuff. Allowing pages that are linked to a primary site via a referrer, does not sound very secure either, as this is how trusted websites get compromised and misused for attacks via malicious advertisements.
If you need to build some form of deny by default policy. I would try to use standard URL categories for low risk sites and use Cloud Application Control to allow specific Cloud Apps within URL categories you block as you want to have more granular control on (Like allow Facebook and LinkedIn, but block the “Social Media” category).
Know that with Zscaler, URL filtering and Cloud App Control are access control policies and even when traffic is allowed we scan for malware and other security threats.
I hope this helps you in finding the best solution for you case.