How to best whitelist IPs from malware IPs with tags (without Quick)

[senseOPN]

I use the following lists to block malware IPs between all my firewall networks:

https://feodotracker.abuse.ch/downloads/ipblocklist.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt

And this to block malware IPs as Source or Destination on my WAN interface only (as it contains private networks):
https://iplists.firehol.org/files/firehol_level1.netset

Again and again, those lists contain regular IPs that should not be blocked.
Therefor, I added whitelisting rules ... but those should of course not allow anything from or to the whitelisted IPs!

Instead, I removed Quick from the both the (Floating) whitelisting and blocking rules, set the tag "blocked" on the blocking rules and "whitelisted" on the whitelisting rules.

The whitelisting rules come after the blocking rules, to that the tag get's changed from "blocked" to "whitelisted" - and then I have a final Floating rule that just blocks all traffic that has the "blocked" tag.

Is this the right way to handle this?

I first thought that inverting the tag "whitelisted" with "!whitelisted" would be the easiest way, but that syntax does not seem to be supported and I had no idea how to correctly implement whitelisting in other ways.