If I am blocking an entire TLD it is typically after seeing IOC's from a phishing campaign or seeing something similar in the environment. For example if I know our company doesn't need any websites that are .xyz I would block *.xyz proactively. I don't know if the Meraki MX would have blocked some things, I block them anyway. I have a block first approach instead of an allow first approach.
So if I see a phishing campaign using a lot of .bbb domains I will just block *.bbb instead of just the ones the bad actor is using. Sure if eventually a user has a customer that uses .bbb and we need to allow it, then we allow that one. This does add some detective work when a site won't load.