Tryptamine I guess you could add in an iptables kill switch for the system managed VPN, I'll have to look into that, thanks for the idea!
Yeah, that is what I have always done. I use the built-in wireguard support, and some iptables rules. I think most reputable VPN providers have instructions or at least hints about how to set up such an iptables based kill switch.
Tryptamine On Android the kill switch seems to work in conjunction with the VPN app it is set under. As you have found in the above issue tracker report, Mulvad VPN does not effectively block all traffic when VPN connectivity is lost and packets leak. On the other hand, the only VPN app recommended on the GrapheneOS website, the official WireGuard app, does effectively block all traffic upon loss of connectivity!
I wouldn't expect a system provided kill switch to work in conjunction with the VPN app, and I think my ticket showed that doing that is not always secure. I will try to dig a little bit deeper and see if I can understand how the kill switch is implemented in Android, because it sounds odd to me the way it is done, and not particular secure. I would need to find another way to reproduce the issue anyway if I am going to report it to AOSP, because the disable network permission functionality is GrapheneOS specific.
In an ideal world, GrapheneOS would provide native wireguard support. Linux has had it forever. I guess it is just a matter of someone finding the time to implement the UI for it, the kernel should support it already.