90% of people who understand SCP as an "authorization policy" and enter the exam will miss Domain 1. The essence of SCP can be expressed in one sentence — "SCP never grants permissions. It only sets the maximum limit (ceiling) of what permissions can be allowed." Failing to understand this one sentence means you'll be confused on every "4 correct SCP statements" scenario in the Pro exam.
Before SCP appeared, there was no way to enforce "the root user of all accounts cannot do X" in a multi-account environment. IAM policies only apply to IAM Users/Roles within an account and pass through root. AWS Config Rule only detects violations after the fact, not blocking them