This is the sort of thing I'd normally formally submit as an RFE, but perhaps posting in the community is a better way to get input from peers and Check Point.
The new R80.40 feature supporting an encryption domain per site-to-site VPN community was long overdue (I think I did a RFE for this ages ago) - but it's nice to finally have what Cisco VPN match ACLs have provided for years... However, there's still an issue: security rules do not have an option for "Cleartext only".
Despite the best intentions, organisations struggle to have very tighly restricted security policies. VPN access can have unintended consequences where rules do not have a "Cleartext only" option - and VPN configuration for third parties can end up matching rules intended for some other purpose. While this could be avoided by placing all VPN access near the top of the policy and putting a per-VPN block rule at the end of each section, "Cleartext only" could help avoid this by ensuring VPN traffic can never match the rules.
Taking it a little further, provide a policy option for the default behaviour - either the current "Any" (cleartext and any VPN community) or "Cleartext only". This would prohibit any VPN access on new rules unless the rule is specifically configured for it. This may have some advantages with internal performance optimisation - the gateway would know which rules were eligible for VPN matching in advance.