@raccoondad Please don't recommend people disable OS or app updates, especially for a reason that's not correct. The VPN kill switch feature works perfectly. If you want to avoid showing that you're using GrapheneOS based on connections, all you need is to switch to standard connectivity checks (or disable them, not really recommended due to loss of ability to use captive portals without disabling VPN and less importantly loss of internet downtime detection) and use a correctly working VPN with the default settings since GrapheneOS enables both of those toggles by default.
I'm sure there are other identifiers, but those two come to mind
Both of the connections you mentioned go through the VPN, so it's inaccurate. Connectivity checks are the only exception on GrapheneOS. NTP also doesn't go through the VPN on the stock OS, partly because it uses UDP which doesn't always work via a VPN and partly because correct time is needed to authenticate certificates and it makes it easier for users if it doesn't go through the VPN. We made the GrapheneOS HTTPS time connections go through the VPN by not making an exception for them like Android does for NTP.