missing-root
Some android system components bypass the VPN, like Captive Portal check, connectivity check and SUPL request.
Connectivity / captive portal checks are the same thing. SUPL doesn't bypass the VPN on Tensor Pixels, only Snapdragon where it's implemented by the radio. NTP on AOSP / stock OS does, but this isn't AOSP / stock OS and GrapheneOS doesn't use NTP.
Connectivity checks are the only default connection on GrapheneOS which don't go through the VPN.
SUPL is only used after adding a carrier. Carrier IMS uses a dedicated VPN for Wi-Fi calling/texting which is another non-default connection which doesn't go through the Owner VPN but rather another VPN.
If you would live in such a country switching all those back to Google may be best.
Only connectivity checks are relevant to this on current devices. SUPL is only relevant for Pixel 5a and earlier.
Btw it could be an idea to allow the download of the required OS components over another channel than the Website. Torbrowser uses many, where email, Telegram and others are allowed I think. It is a smaller file, so mirroring things on a Google Server for example may help? Or possibly over Tor?
Updates aren't hosted on our website and we don't want or need any third party hosting for them. Updates are done via the VPN like all other default connections which aren't connectivity checks.