As you probably know, using Group filtering would not be supported beyond basic initial pilot testing, so no, that would not be an option for the long term if you want to be supported.
If you want to use a group, why not create a scheduled Powershell task that checks for any members in that group and then updates a custom attribute of your choosing on the member's AD accounts that filters that account from the sync? I know you don't want to use a script or modify attributes, but that, to me, is a safe and supported method to accomplish this.