I just need to vent and ask some questions that hopefully some Jamf employees can answer.
Why are restrictions enabled by default?? If I want to disable ONE thing, I have to explicitly enable EVERYTHING ELSE, including things that I didn't know I needed to enable (screen sharing for Big Sur in this case). This has caused me (the resident Jamf expert because I'm the only one working on it) considerable stress. Can you PLEASE change it so the restrictions need to be enabled explicitly instead of disabled by default. It makes no sense to me why you wouldn't just disable those things you want to explicitly disable. I would guess that the majority of Jamf admins don't want to disable everything. It would also allow you to use multiple restriction configuration profiles that may overlap with multiple groups.
FWIW, Jamf is well aware of what a gigantic pain in the tuchus it is in how config profiles work, and they've been on the path of replacing some of the profile payloads so options can be left untouched that you don't specifically want on or off. To enable an option for configuration now in some of the profile payloads, they have a slider to toggle it on so it will be included in the final profile. if that switch isn't toggled, the entire option is left out of the profile.
But the conversion is taking a long time, so currently only a few of the payloads have been modified in this way. The rest, such as the Restrictions payload, is not one that has gotten this treatment.
If you can't wait for Jamf to get around to this, then your only other option is to make a custom profile using one of the various 3rd party tools out there, then sign it to lock the profile from being modified, and upload it into Jamf.
Just want to second the recommendation that you watch Matthew Mitchell’s video—the guy is a rock star for making that presentation: https://www.jamf.com/resources/videos/roll-your-own-configuration-profile/