Hi @dips1 ,
Yes you are right.
Adobe recommends to block xml request by default.
But if we are using sitemap.xml configuration has to be enabled and configuration as follows.
1. Enable the .xml in Apache Sling Get servlet
2. deny all the xml request in the dispatcher.
/0001 { /type "deny" /glob "*" }
3. Enable sitemap.xml request alone in the dispatcher.
/0011 { /type "allow" /url "/sitemap.xml"}
This will meet our security checklist.