I would still say that TAM is default-deny, not "restricted default-allow". Yes, programs may be allowed to run, but only if it's on the cloud whitelist. The default behavior is still block. Only when the software is on the whitelist will it be allowed to run.Trusted Application Mode is not absolute default-deny. Programs can still be executed on the system based upon a local-cloud algorithm. Most of what can\cannot be executed is based upon the KSN lookup function. In short, TAM is restricted default-allow. The default restrictions are sufficient\insufficient based upon your point of view.
I think the behavior of TAM is:
Delay the execution of the program.
If it's whitelisted, allow.
If not or unknown, block.