For Data Exposure via Securlet policy - when we try to exclude a domain for example:

abc.<example>.com we still receive alerts for xyz.abc.<example>.com.

Shouldn't it work for all sub-domains? Is there a way for a wildcard?

Working as Designed

Policy needs to identify the violator and uses the complete email address which includes full explicit subdomain for identification purposes.

Complete explicit sub-domains also apply for identifying internal versus external users for vendor apps like O365 - so it is not confined to this one data exposure policy type.