Hi Nicholas,
Thanks for reaching out. I understand you’re in a bit of a tricky situation with respect to pushing apps/documents to the right users. Fortunately, we have identified a viable solution to your problem.
Instead of applying a policy to a domain, you can apply it to a dynamic device group. Navigate to Manage > Device Groups > New Dynamic Group. You can apply the necessary filters, as shown in the screenshot below. In your case, the list would include all the devices whose users are part of your domain, with the exception of a select few users based on the criteria specified. The list will sync at regular intervals to keep the dynamic group regularly updated.
After creating the dynamic device group, go to Policies > New Policy. After configuring your policy, navigate to Policy Targets > Device Groups and select the dynamic device group. Here is a screenshot below to help you along.

The dynamic device group will ensure that applications, data, documents and whatever policy you desire will be passed to the devices fulfilling the criteria you have configured. This also saves you the hassle of creating multiple policies to exclude select users in the domain. Two birds, one stone.
We hope this solves your problem. Please get back to us if you have any further queries.
Regards,
Patrick Zimmerman
Hexnode UEM