in our SPO on GCloudBelgium, a PRIVATE CDN is now enabeled (since 16/09/2022), with the option -NoDefaultOrigins. It means that images, js files, or other assets are NOT cached for the sharepoint sites of our tenant. But we needed  to add libraries to the private CDN to enable the Organization Assets Library for Office Templates. 

on 16/9/2022 3 libraries were added as Organization Assets Library for Office Templates: BOSA, SFPD, and RVAONEM, to respond to 3 demands we received during the last year. So, if you need CDN you add some new Origins to the existing Private CDN, and  NEVER enable the public CDN,because public cdn is forbidden on our tenant for GDPR reasons (anyone on the planet could access the data!) For example, if you want to add a new Origin for Office templates for an Institution, you just have to:
  1. Create the new library library in the 'GCloud central' site
  2. Break inheritance in the library
  3. Assign Read right to 'everyone except external user' 
  4. in POWERSHELL, add the new Library:
    Add-PnPTenantCdnOrigin -OriginUrl /sites/GCloudCentral/NAMEOFYOURNEWLIBRARY  -cdnType Private
  5. Then configure it:
    Add-PnPOrgAssetsLibrary -LibraryUrl "https://gcloudbelgium.sharepoint.com/sites/GCloudCentral/NAMEOFYOURNEWLIBRARY" -OrgAssetType OfficeTemplateLibrary -CdnType Private
  6. Assign Read right to the appropriate group, normally 'All Users (institution)'
  7. Remove Read rights of 'everyone but external user'
        if you forget it, every user in the tenant should see and could use the office templates of the new library even if they don't work in the institution.