When you add UA on a Tool level, by default DTM outputs the UA library and page view tracking on every page load, even when no Page Load Rules (PLR) are in place.
If you do not want UA to load on certain pages, you can create a PLR with condition(s) to identify the pages (e.g. a URL path) and then within Google Universal Analytics tool section of the PLR, there is a checkbox labeled "Don't load Google Universal Analytics on these pages" that you can check.
So in other words, by default everything is whitelisted and you can create PLR(s) to blacklist pages.
If you want the reverse, where by default every page is blacklisted and you specify pages for it to trigger on (whitelist), then you must implement UA as a Javascript / Third Party Tag within a PLR instead of on a Tool level.