You can still use the default domain, I do in my post man recipes for the management api because it makes it more obvious which Auth0 tenant I’m working with.
This is a valid (and known) shortcoming for which I encourage you to create a Feedback Request.
After doing some digging internally, the consensus is that there 2 attack vectors against canonical domain name bypass:
Authentication API: You may want to reach out to support (support ticket) to inquire about allowlisting your RP (relying party) IPs.
Management API: The iss (issuer) claim originating from your custom domain will be different, and as long as token validation is done against the custom domain name iss any bypass shouldn’t go unnoticed.