Currently it's very cumbersome to change anything related to the access rules generated for the dispatcher since the locations to allow/deny are hard-coded into the templates. To add a rule you'd have to override the complete template.
So it would be useful if the locations to be restricted are extracted into parameter lists of the role configuration. You could then extend them with custom rules and the statements in the templates could be generated by iterating over these lists. To illustrate the idea:
A few random points:
If the risk of accidentally deactivating the default list of critical paths is too high it should at least be possible to augment them with custom rules.
It should probably be possible to remove restrictions for the selectors in any case since there might be cases where you actually want them accessible.
It would be nice if the syntax for the rules would be generic enough so that either httpd or dispatcher rules could be generated from them (if someone feels more comfortable with the dispatcher.any configuration). This however is probably not so simple since the syntaxes of httpd and the dispatcher module would need to be converted between with even more risk of something not being generated as expected.