Running report from Cloud SWG console for genuine websites showing denied with rule is showing TP G3 (permanently blocked categories).
Verdict is showing as proxy_avoidance as shown below.
Users do not complain of issues accessing these sites.

Upon investigation it was found that if we run reports with below filters we can see actual problem.

Protocol = tcp and Verdict = proxy_avoidance
Or 
Method = CONNECT and Verdict = proxy_avoidance

<>

All transparent proxy access methods used to connect to Cloud SWG.

 - WSS Agent, SEP Web and Cloud Access protection client or Symantec Enterprise Agent. 
 - IPSEC

All Cloud SWG Agents, as well as IPSEC clients access the Cloud Proxy in a transparent manner and hence there should not be any CONNECT request coming to Cloud SWG.

All the requests blocked with the proxy_avoidance exception are being directed to tunnel[.]googlezip[.]net, which serves as a pre-fetch proxy in Google Chrome.

Google Chrome uses this pre-fetch proxy feature, by sending HTTP requests via a CONNECT method.

When these pre-fetch requests reach the Cloud SWG service, the Cloud Proxy blocks them because domain used by prefetch proxy is categorized under Proxy Avoidance (TP-G3).

This does not impact normal browsing however these skewing the reports.

• Open Chrome Settings: Click on the three vertical dots (More) in the top right corner of Chrome, then select "Settings".
• Navigate to Performance: In the left-hand sidebar, click on "Performance".
• Find Speed Section: Scroll down to the "Speed" section.
• Toggle Off "Preload Pages": Locate the "Preload Pages" option and toggle it off to disable the feature