After quite some testing I finally figured out that I can use an <If> directive and the REQUEST_FILENAME variable to achieve an explicit whitelist based on absolute file paths, i.e.

<Directory "/var/www/html/*">
   Require all denied
   <FilesMatch "\.(html?|php|xml)">
      <If "%{REQUEST_FILENAME} =~ m#/var/www/html/(index\.html|data\.php|content\.xml)#">
         Require all granted
      </If>
   <FilesMatch>
</Directory>