I'm not sure where you got your numbers from, there are only 919 root-delegated Top Level Domains. There are a few hundred more pending new gTLD application with ICANN so the total for the next few years won't exceed 1200. (There are plans for a second round of new gTLD applications. The first round cost each applicant $185,000 USD.)
Definitions:
TLD = Top Level Domain
gTLD = Generic Top Level Domain (.com, .net, .org, .info, .biz)
new gTLD = New Generic Top Level Domain recently allowed by ICANN (.club, .bike, .software, .guru, .ninja, .computer, .sucks, .wtf, .porn, .xn--io0a7i, .google, .canon etc etc)
sTLD = Sponsored Top Level Domain aka "restricted TLD" (.aero, .pro, .tel, .museum, .travel, .edu, .coop etc)
ccTLD = Country Code Top Level Domain (.uk, .me, .io, etc)
Extension = a sub-domain you can register under (.co.uk, .de.com, 0.bg, .com.au etc)
Sponsored TLDs are restricted. For instance, you need a "UIN" delegated by the "Travel Industry" for a .travel domain, only legit museums can get a .museum domain, and only licensed professionals can get a .pro domain, which is why you don't see many of them (and never get spam from them either).
All legacy gTLDs are unrestricted. For awhile, .info domains were sold super cheap ( $5) so scammers bought them up.
Most new gTLDs are unrestricted, while some are restricted like .berlin and .nyc (need to be local to the city) and .bank (need to be a real financial institution and get audited every 2 years and sign your domain with DNSSEC, etc).
ccTLDs can do whatever they want and are not governed by ICANN.
For now, you can "blacklist" new gTLDs without much consequence, because people and businesses are only starting to use them. Keep in mind scammers/spammers/annoying-people register CHEAP domains, so you might want to blacklist .xyz (cheap) but not .bank (expensive). But in the future, legitimate activities under new gTLDs will occur so you might want to allow them over time.
But really, why block at the TLD level and not based on content and RFC compliance?