Pathname vs label... I don't know which is better, I don't know if I care.
What I do know is a Mac solution needs to be default deny to be truly effective. Otherwise security gains will be largely illusionary. It's a classic trap to fall into blacklists because they are easy to use.