URL Reputation and URL Filtering use different databases delivered through ThreatCloud.
URL Reputation is Anti-Bot/Anti-Virus specifically, which means the exception would need to be added to the Threat Prevention policy.
If you feel the categorization is wrong, please report via the TAC.

Personally, but this is just me, I agree with @_Val_ , open TAC case to get an official statement. You do bring up, however, very valid points. I would not do any re-categorization for now, but you could always whitelist the website for the time being.

What is the site if you can provide it? I have very good https inspection lab, so happy to test it out.

Best regards,

Andy

Sorry to come in late on this one, but you have highlighted an area of overlap between Access Control and Threat Prevention that can lead to confusion when searching through Threat Prevention logs looking for a drop that was actually caused by URLF.  Access Control (including URLF) is always enforced first (with some exceptions for IP reputation drops that can happen very early for efficiency reasons) followed by Threat Prevention.  My impression is that the URL Filtering categories Spyware/Malicious Sites & Botnets are primarily for sites that were once a legit category (like Business/Economy) but have been hacked/infected and suddenly moved into this category; sites that are perennially in these categories tend to eventually get shut down by ISPs/providers unless they are in a hostile country.  These URLF categories can still provide some protection even if Threat Prevention is not enabled at all.

The reputation data for Threat Prevention is sourced from a number of open and closed sources, and it doesn't surprise me that occasionally it won't be in agreement with URL filtering.  Threat Prevention's database is much more dynamic and ever-changing than the URL filtering database.