So I have noticed that when using restricted software records in JSS on computers, the exclusions can be a bit "buggy".
When you apply a restriction to an application, like Chrome, to all devices, once every device has applied the record, when trying to exclude a system that has said record, will fail to remove the restriction. Working with JSS, it was informed that the restrictions cache to the machine so exclusions are somewhat doing nothing at all. I'm sure this has to do something with Apple's end and not so much a product issue on JSS' end, so this is the rather simple workaround.
I made an ongoing policy "Flush JSS Caches" and added the file and process under execute command... "sudo jamf flushCaches" and scoped it to a static cart so that any system applied to that static cart will get the policy. We added the policy in SS instead of doing an auto run, but you could do either one. We just like to know it's running when we click it.
We restricted many applications on our student MacBook's, so since we restrict terminal as one of them, it can be rather picky when we log in as our Hidden Admin account on said device (so often times it'll still block terminal even though it's excluded from hidden admin user).