If you want to separate one controller and keep it inside dom0, you will need to set usbcore.authorized_default=0 and rd.qubes.dom0_usb with your controller identifier. The excluded controller should contain the USB keyboard and mouse, which will work directly in dom0 without interacting with sys-usb input proxy service. Other USB devices won’t work with the USBGuard configuration unless they tell the system that they are input devices, which sometimes happens with weird devices.
If your goal is to hide all USB devices at boot except the keyboard and mouse, then setting usbcore.authorized_default=0 will be enough.
Yes, it was added in Qubes 4.1, and it still works today, even on 4.3-rc1.