Why is adding adding sites to /etc/hosts not blocking them on BigSur?

When this happens, the app you’re using might not be asking Big Sur to look up DNS. For an easy case, you should be able to get Safari to block. Depending on your browser history and what exactly you type - you may need to block more than “cnn.com”:

127.0.0.1 cnn.com  
::1 cnn.com  
127.0.0.1 www.cnn.com  
::1 www.cnn.com  
127.0.0.1 web.cnn.com  
::1 web.cnn.com  
127.0.0.1 cdn.cnn.com  
::1 cdn.cnn.com 

You also will have to disable most of the search bar functionality since you may be typing a web search in your address bar and then Google, Duck Duck Go, Ecosia will look up CNN's IP address for you based on your typing cnn and pre-load from the IP address - not the DNS lookup...

The above image provides suggested settings for Safari on Big Sur if you implement the block list I provided above for https://cnn.com

Web browsers and some security apps in some cases no longer only call the OS for DNS. Malware, potentially unwanted software and even legitimate programs are starting to hard code IP addresses to get to their servers - and this can be good in the case where they are testing for broken or malicious DNS - not so good when you're unaware what they are doing.

The days of hosts ruling to roost may be long gone unless Apple forces all apps to use system calls. You should be able to get Safari on Big Sur to block sites out of hosts - be sure you open an incognito / private tab or quit the app after making changes.

Even trying to block sites and network ranges network wide using tools like Pi-hole are being lessened in the ever escalating war between people that want to track and monetize your use of the internet and people that are working towards network neutrality and preserving privacy.

You may have to work with Chrome to ensure it’s using system DNS or install an extension that can help block a site or implement a network block on your router outside the app and outside the OS.