The point is that those 250 countries all have different legislation and cultures. The only concern is not "we don't want the Chinese government to have access to user data". That's the only concern for Gitlab (well that and not violating US laws in regards to who they can do business with), but it is not as simple for many other companies.
Going from a whitelist to a blacklist is hard because you need to either individually vet every country and decide if they're ok, or you need to just assume a lot of countries are ok.
Going from a blacklist to a whitelist is obviously trivial.
i am not sure we are getting anywhere with this argument. i don't really see the point. when a list has a fixed number of possible entries, then the difference between whitelist and blacklist is purely academic. the result is exactly the same.
You seem to be talking about reciprocal lists (blacklist of 3 -> whitelist of 247, whitelist of 10 -> blacklist of 240, etc), which is not what OC was talking about. OC was specifically talking about going from a "small whitelist" to a "small blacklist". Not a "large whitelist to a small blacklist" and certainly not anything the other way around.
Whitelist with 3 countries: I have vetted three countries, and know my employees can operate in those countries legally without issues.
Blacklist with 3 countries: I either need to vet 247 countries to ensure my employees can operate there legally, or I am just assuming that those 247 countries are fine without actually doing the due diligence.
Again, going from a blacklist of 3 countries to a whitelist of 247 countries is obviously not an issue. You're operating on the same data. The issue is going from a whitelist of say 3 countries and then not going to a reciprocal blacklist of 247 countries, but a much smaller blacklist of 3. This is what Gitlab has effectively done in OC's estimation. That either means you vetted those 244 extra countries that are now on your "whitelist", or you're making a lot of assumptions.