If I understand your question correctly then you want to disable tags based on eventtypes & you are talking about below eventtypes.conf stanza
# osx sshd authentication error
# Jul 16 11:10:45 mycomputer sshd: error: PAM: authentication error for xxx from localhost via ::1
search = (NOT sourcetype=stash) NOT sourcetype=ossec sshd (((Accepted OR Failed OR failure OR "Invalid user" OR "authentication error") from) OR "Authorized to" OR "Authentication tried" OR "Login restricted")
#tags = authentication remote
If this is the case then do not disable this stanza in eventtypes.conf but disable tags in tags.conf
So if you want to disable authentication tag then you can do below configuration in tags.conf
but in as per your suggestion, the hard-work of eventtypes will be done by Splunk ?
So in above example, the [sshd_authentication] is done on EVERY single source-type and dataset, which is hugely inefficient & un-necessary step as we are not using the eventtype anymore.