exact whitelist:
scribe.logs.roku.com
api2.branch.io
cws.conviva.com
in /etc/dnnsmasq.d/change_reply.conf
address=/api2.branch.io/192.168.192.168
server=/cws.conviva.com/
unfortunately, there doesn't appear to be a dnsmasq option to reply refused, however, if you also use unbound, they have a solution:
in /etc/unbound/unbound.conf.d/change_reply.conf
local-zone: "scribe.logs.roku.com." always_refuse
tested with latest pihole-FTL (v5.15) and latest unbound (v1.16.1), replies as indicated in your post.
edit
/edit