I think this statement answer your Q

• If you want to allow a triggered event to process any default actions, you must configure the EEM policy to allow the default action. For example, if you match a CLI command in a match statement, you must add the event-default action statement to the EEM policy or EEM will not allow the CLI command to execute.

In some Cisco Nexus N9K-NXOS-Releases, there is a workaround needed to execute "critical" commands.

* usually it works in EEM-Applets to

a) "source out" the original command to a "cli alias" and

b) call that "alias" from the applet

similar to that:  

conf t
  cli alias name wrbak copy running-config tftp://tftp-server/backup_config.txt

  event manager applet  BACKUP_CONFIG
    no action 1.0
    action 1.0 cli command "wrbak"

end

I know - not what you might want, but would work out of the box:

* CLI-Alias with 2x commands instead of EEM:

cli alias name wr copy running-config startup-config ; copy running-config ftp://***FTPUSERNAME***:***FTPPASSWORD***@***FTPSERVERIP***/$(SWITCHNAME)-conf.$(TIMESTAMP) vrf default

Try putting the "event-default" as your first action. That solved it for me.

Initially, I had this setup and received the "% Command blocked by event manager policy" error:

event manager applet Switch-Config-Backup
description "Backup Running Config To FTP Server"
event cli match "copy running-config startup-config"
action 1.0 cli run-script bootflash:Switch-Config-Backup
action 2.0 event-default

However, when I reversed the actions as follows, the "copy run start" command ran without errors:

event manager applet Switch-Config-Backup
description "Backup Running Config To FTP Server"
event cli match "copy running-config startup-config"
action 1.0 event-default
action 2.0 cli run-script bootflash:Switch-Config-Backup

My Switch-Config-Backup script contains the following line:

copy running-config ftp://<FTP-Username>:<FTP-Password>@<FTP-Server>/path/path/$(SWITCHNAME)/$(SWITCHNAME)---$(TIMESTAMP).txt vrf default

Hope this helps.