You are using Device Control on Symantec Endpoint Protection (SEP) for Mac to block USB devices, but they are still available briefly (for about one minute) after boot. After a minute or so, they are blocked even if already plugged in.

This is by design. Device Control policies do not take effect until after SymDaemon is loaded.

Apple macOS

If you wish, you may submit an enhancement request to our engineers. For instructions on how to do this, please see Submit a suggestion for Symantec products.