With 7u40 nightly #23, confirmed that rule without any application quantifier will be treated as "Invalid (run everything) rule in Local Security Policy file".
However, location ="*" still works as before. Policy looks like below:
<id location="*" />
<!-- block everything else -->
<message>we don't want to run anything else</message>
Anyway, SQE is still going to allow this very bug to be fixed. Will file a new bug to track remaining issues.