Consider using Google Santa to block the macOS Install.app? As for blocking via local storage/usb if I understood correctly, it's probably good to set a firmware passcode and by default, if the Mac has a T2 chip, booting from external media is forbidden.

In short, firmware password + Google Santa to block the installer + this command: softwareupdate --ignore "macOS Catalina".

https://technology.siprep.org/using-santa-to-block-mojave-upgrades/

Ignoring the macOS Catalina Upgrade | VMware