With the "App Specific network blocking" you can block network connection for a particular application. This feature requires the VPN permission on the device. When the package name of a particular application is added and deployed via policy, this application will not be allowed to connect to the network/internet.
Eg: An application which is installed on the devices for reading PDF files has an option to connect to the cloud server. The administrator want users to use this application only to read PDF files and does not want users to connect to the cloud service. The administrator can restrict this by adding the package name to the "App Specific network blocking" and deploy via policy.