The default proxy policy is 'Deny'.

There is no rule or policy to allow the HTTP CONNECT method.

The policy trace is showing the HTTP CONNECT method getting allowed like in the below transaction.

<Proxy>
...
CONNECT tcp://www.example.com:443/
...
verdict: ALLOWED

The proxy policy does not have a rule that explicitly denies the HTTP method CONNECT. However, if there is a specific rule to deny it, then the verdict will be 'Denied' as shown in the policy trace below.

<Proxy>
MATCH:         DENY http.method=CONNECT 
...
CONNECT tcp://www.example.com:443/
...
verdict: DENIED: Either 'deny' or 'exception' was matched in policy

The document below further confirms the behavior on the proxy for the CONNECT method where as you can see below by default, it gets allowed.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/edge-swg/7-3/about-ssl-proxy/ssl-proxy-troubleshooting-intro/process-connect-method.html

This is an expected behavior or by design due to how the proxy handles the HTTP CONNECT method.