The correct answer is Define an organization Copilot policy that permits Copilot only on selected repositories.

This approach uses centralized governance to allow Copilot only on a defined allow list of repositories while blocking it everywhere else. Administrators can enforce a deny by default posture and easily scale the control to new or archived repositories without repetitive work in each project. It also aligns with how Copilot access is designed to be managed at the organization or enterprise level.

Set repository-specific access rules in each repo's settings to turn off Copilot for repositories that should not use it is not the best option because it is decentralized and operationally heavy. It does not provide a single source of truth or a default deny stance across the organization and it is error prone as new repositories are created.

Use VPC Service Controls to restrict which repositories can connect to Copilot is incorrect because this is a Google Cloud networking control that does not govern GitHub SaaS features or Copilot availability in repositories.

Configure enterprise account rules that limit Copilot by the geographic location of collaborators is incorrect because Copilot policies do not control access based on user location. The requirement is to scope Copilot to specific repositories and that is handled by organization or enterprise Copilot policies.

Full AWS Practitioner Certification Question