You are correct! I was mistaken about the rules piece when it comes to blocked users. Sorry for any confusion that might have caused!
If you take a look at the Block and Unblock Users docs, it notes:
If a blocked user tries to access an application, they will be redirected to the application with the error message
user is blockedin the URL.
The change in behavior is due to using the Universal Login instead of an embedded login. There are many security benefits to using the Universal Login (Centralized Universal Login vs. Embedded Login), but a difference is that certain errors (e.g. blocked users, errors thrown in rules, etc.) will result in redirects back to the application by design. Unfortunately, it is not possible to display the “blocked user” error on the Universal Login page itself.
You can submit a feature request in our new Feedback category which is reviewed by the product team regularly: Feedback - Auth0 Community