@Heimdallr, Thanks for posting in Q&A. For Intune, it is a cloud service which can help manage device via deploying policies. For the policy it can deploy, it depends on the CSP which windows provided.
After researching, I find the method to block USB is via administrative templates and the CSP also maps to ADMX.
https://video2.skills-academy.com/en-us/mem/intune/configuration/administrative-templates-restrict-usb
https://video2.skills-academy.com/en-us/windows/client-management/mdm/policy-csp-storage
That means on windows side, the block setting is working on the registry key. In fact, Intune can only deploy policy setting to the device. If anyone has permission wants to change the registry key, it can not prevent it. But when the device sync with Intune again, the policy setting will be applied again. The result if a user can change the registry key is determined by the permission it has. Maybe you can see if there's any method from permission side to help you control the user behavior.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.