What if the Web Gateway blocked something like a virus? Or blocked because you didnt allow EXE downloads?
MWG must first download the file in order to know it's a virus or EXE (in some cases).
If it's a category block, still, there will be bytes reflected in the log because MWG had to deliver a block page.
I was hoping someone would validate your answer but it doesn't appear it's going to happen anytime soon. What you stated makes sense to me as it appears there are different steps in the validation process of rules. I suppose it's possible that it could download a response from a users request, log the size of that transfer, see's something in it that it's configured to reject and marks it with a 403 to block with that data never actually being passed to the user.
Thanks for your contribution Jon