Blocked is a system boolean, which acts upon wrong login attempts and is set back to false after x period of time.
If you want to block a user to login as administrative measure, use the boolean Active.
Additionally to this; why create a USER by a manager, why not adding a participant, which will create an related account if needed and with right conditions under the hood?
Please check the access permission for admin & manager for Blocked Attribute.
Tested myself in 8.9
So, I can’t reproduce the strange behavior, which you do have. Correct my setup if I took a different path then you did
But I ran into the issue that an account with limited admin rights cannot write on the active and blocked attributes at all.