Allow push to protected branches for certain folders

I use a mono repo for several reasons. There are some top level folders that I would like to protect from direct pushes, hence, if a push contains files in these “protected” folders it would be rejected.
I have tried Codeowners in combination with protected branches but it turns out that a user/role either has the right to push to the protected branch or not. The Codeowners definitions is not applied if a user is allowed to push. And if a user is not allowed to push, then also Codeowners are not relevant.

It seems the standard fashion to solve this is a simple server hook for pre-receive. A very simple script would then check if the push containes files in such a folder and rejects the push if that is the case. However, I am an GitLab SaaS where it seems you cannot add a server hook (which is strange because a server hook would be specific to a repository).

Ideas how to make that work?