I'm speaking more from the database/XSS side of things, where a blacklist is about as useful as no list at all.
There are absolutely times where security has to be compromised, even abandoned, in the name of usability, and times where security must be ironclad, even user-hostile. Civil rights law is definitely the former.
Security always involves trade-offs. Unthinkingly choosing the most restrictive policy every time is not a good security practice.