Thanks for posting.
Restricting bcdedit.exe will compromise creating rescue and boot media.
vssadmin.exe isn't used by Reflect.
Please note that both of these restrictions offer very weak protection against malware/ransomware. Both the BCD and Shadow copies can easily be changed using WMI.
Nick - Macrium Support