"Always-on VPN" is supposed to tunnel all WiFi and mobile data through VPN tunnel without having to enable "Block connections without VPN" feature, also known as VPN Lockdown/Killswitch. The "Block connections without VPN" feature is there for cutting off non-VPN traffic to prevent leaks in case VPN connection is lost,. When VPN connection is established and is stable, there shouldn't be leaks even when "Block connections without VPN" feature is not enabled. Such isn't the case and leaks with stable VPN connection do happen when "Block connections without VPN" feature is not enabled.
I test this on my WiFi and it shows phone trying to resolve domains for various apps outside VPN tunnel if "Block connections without VPN" feature is not enabled. Again, that should not be happening if VPN connection is stable.
Isn't that flawed implementation? Perhaps GrapheneOS can harden the "Always-on VPN" feature?