It sounds like a good idea but from what I've read there do seem to be some problems with it, the major one being that when it stops the program you're running writing a file to a controlled folder, your only options (assuming you did indeed want it to write that file there) are to either write the file somewhere else or turn off CFA altogether. There's no UAC or firewall style popup to let you say "let it through", and adding the program to the exception list doesn't have any effect on the current running invocation of the program.
Writing the file elsewhere, exiting the program, copying the file to where you originally wanted it, and adding the program to the exception list for the next time is clearly a faff, albeit not too bad for a simple case of, say, an editor that just edits and writes a single file. However, I was wondering how much grief it could cause for much more complex programs (e.g. installers), so, having Win 10 Pro I decided that I'd turn on CFA in "audit only" mode, under which is doesn't prevent anything but sticks an entry in the system logs whenever it would have prevented a write, had it been turned on fully.
I've left it that was for a few weeks and the following is the list of programs it would have blocked. Some are surprising (I haven't changed the allowed list at all).
C:\Perl64\bin\ perl.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ AcroRd32.exe
C:\Program Files (x86)\Adobe\Adobe Bridge\ Bridge.exe
C:\Program Files (x86)\Adobe\Adobe Help Center\ ahc.exe
C:\Program Files (x86)\Adobe\Adobe Photoshop CS2\ Photoshop.exe
C:\Program Files (x86)\Aimersoft\Video Converter Ultimate\ VideoConverterUltimate.exe
C:\Program Files (x86)\BUFFALO\NASNAVI\ nassche.exe
C:\Program Files (x86)\Common Files\Adobe\Updater\ AdobeUpdater.exe
C:\Program Files (x86)\CyberLink\Power2Go10\ IsoViewer10.exe
C:\Program Files (x86)\ImgBurn\ ImgBurn.exe
C:\Program Files (x86)\KeePass Password Safe 2\ KeePass.exe
C:\Program Files (x86)\MICROS~1\Office\ FRONTPG.EXE
C:\Program Files (x86)\Microsoft Office\Office\ EXCEL.EXE
C:\Program Files (x86)\Microsoft Office\Office\ FRONTPG.EXE
C:\Program Files (x86)\PerlEdit\ pe.exe
C:\Program Files (x86)\VideoLAN\VLC\ vlc.exe
C:\Program Files\Google\Drive\ googledrivesync.exe
C:\Program Files\Macrium\Reflect\ reflectbin.exe
C:\Program Files\PDFCreator\ PDFCreator.exe
C:\Program Files\Waterfox\ waterfox.exe
C:\Users\<me>\AppData\Local\Programs\Sync\ sync-taskbar.exe
C:\Users\<me>\AppData\Local\Programs\Sync\ sync-worker.exe
C:\Users\<me>\AppData\Local\Temp\ _iu14D2N.tmp *
C:\Users\<me>\AppData\Local\Temp\is-6MLPT.tmp\ aimer-video-ultimate_full523.tmp *
C:\Users\<me>\Downloads\ aimer-video-ultimate_setup_full523.exe *
C:\Windows\ explorer.exe !?!?! Uh!
C:\Windows\System32\ browser_broker.exe
C:\Windows\System32\ cmd.exe
C:\Windows\System32\ CompMgmtLauncher.exe
C:\Windows\System32\ mmc.exe
C:\Windows\System32\ msiexec.exe
C:\Windows\SysWOW64\ msiexec.exe
Now, the event logs only specify the folder the program was blocked writing to, not the file, and I don't know what I was doing at the time of each. The * ones I recognise as part of an install and I wonder what the effects would have been if CFA had been turned on in full.
Explorer.exe is really surprising, it was blocked writing to %userprofile%\Desktop and there is only one log entry for it.
Cmd.exe, while understandable, is a real nuisance as I have .bat jobs that copy various files around at system startup for various reasons that I don't really want to put elsewhere, so not sure what I'd do about that.