The use case is to block external/personal gmail, drive etc... access from users on the enterprise network

Certain functions that bounce to accounts.google.com to authenticate would switch to the google cert instead of applying the Cloud SWG (WSS) cert that is expected in order to block access to external/personal account access.

Enabling Google SafeSearch caused some cases where "drive.google.com" and "accounts.google.com" would NOT get SSL Intercepted.   

-   SSL Interception and Decryption is required for content to get analyzed by CASB

DISABLE Google SafeSearch in Cloud SWG (formerly called WSS)...and confirm that CASB events and alerts are properly working.