https://www.palantir.com/docs/foundry/platform-security-concepts/projects-and-roles/#create-new-role-sets describes how to create custom role sets, and includes an example of a role set containing "Editor without ability to sync."
In general, it seems that "X without Y" is a useful concept ("Viewer without ability to export" is another example); however, it doesn't seem that there is a first-class way of defining a custom role in those "subtractive" terms, so in order to create such a role, it is necessary to manually copy all of the operations except for a small subset from the original role (which also means that any new additions to the original role will need to manually be added in the future, if we want to keep them in-sync).
Is my understanding correct that there is no convenient shortcut for this use-case?
While "subtractive" definition is not supported per se, you can greatly reduce the burden of keeping your custom roles up-to-date by being sure to include "updates" for operation groups that you know will not come to contain operations that you will want to restrict. Although there is still some maintenance burden that remains for other cases, that is a reasonable trade-off for the additional assurance that your role will not come to grant an operation that you did not intend to grant.
Additionally, the time investment of scrolling down the page of operations, observing which operations / operation groups are granted to the default roles, and granting or not-granting to your new role is quite modest (it took me about 15 minutes to create a "Viewer without Download" role using that approach), so it's not extremely troublesome that there isn't a shortcut to make that one-time interaction more efficient.