URLs https://<reported_URL1> & https://<reported_URL2> return the error message shown in the snippet below and are also blocked via policy (risk level classification over 7).

Could the risk level be reduced or changed?

image of the error below. Actual URL has been redacted.

Cloud SWG

"Security Classification", as shared in the issue description, is "Threat Risk Level", and that the URL reports a threat risk level that's 7 and above.

A reclassification isn't possible. Instead, the resolution would be to add the affected URL to the "Trusted Destinations" list, to allow the access.

For more details, check out the referenced technical documents below.

Ref.: Configure Threat Risk Level Policy

Concerning the CORS error reported, note that any auth policy that requires redirects will break CORS pre-flight requests. So the Chrome add on referenced in the Tech. Doc. with the URL below sends the user session info with every requests and prevents any redirect. 

Ref.: Preventing CORS error

If the customer has an access method that can do IP surrogates, then there will be no need for this (WSS Agent, IPSEC), but explicit really needs it.