In Normal it only uses its (cloud?) blacklist and blocks the processes you have blocked yourself and quarantained (not more than just a blacklist addition to our AV).
In Moderate mode it also shows a popup for unsigned processes
in High mode it only allows safe processes (using the whitelist it has build monitoring your system) and the processes or signers the user has marked as trusted, for all other processes it will show a popup.
Although documentation is (like the application) in development. The Normal mode also seems to act as a learning mode. When you use High mode, until user logon is completed Spyshelter seems to run in Moderate mode to prevent borking up your system. The information it provides about running processes is sort of similar to an intrusion detection system (like Panda's process monitor). This info is only usefull when the system keeps running (without cloud or internet based console useless against ransomware or other threats borking up your system).
Spyshelter could be very interesting when it would offer an internet based console where an admin or digital educated family friend, could watch (keep an extra eye) over what is running on the PC's of family members or friends. Ironically Spyshelter would then spy on other computers 
With that extra it would be an ideal companion for MBAM business for example
