Maybe its most useful to think of this as sort of an "isometric" 3D rendering, because this extra dimension is usually only exposed to the user modally: the third dimension is whatever site you happen to be visiting at the present time. By 2D I was mostly referring to the interface, which is a "matrix", and commenting on how that particular metaphor makes managing a complex request blocker a much better experience.

> It's actually 3 dimensions, as any selections you make in that UI only apply to the site you're currently visiting.

Well, technically that is only partially true as the third dimension is the (sub-) domain scope or "*" which can be reflected behind the scenes with the first-party settings for the origin's domain for each request type because it has the identical effect.

No, it's a full dimension. That you can't see it in the GUI is because the GUI is already scoped to the currently-active url, and you can only control the specificity of the rules, as you say.

But if you view the rules, you'll see its three dimensions spelled out:

  * * * block
  * * script block
  * 1st-party * allow
  stackexchange.com sstatic.net * allow
  stackexchange.com cdn.sstatic.net script allow

This is full [source domain] [target domain] [request type] flexibility. The GUI will only show the stackexchange rules above when you're actually visiting that site; it doesn't mean the third dimension is fake.

It's still a third dimension, it just doesn't have that many values.

That's not how it works for me. When I enable ajax for one site, it doesn't enable for other sites. I guess I have an option checked somewhere.