Carrier-based calls/texts don't go through the user's VPN whether it's using the cellular connection or Wi-Fi. VoLTE, VoNR and VoWi-Fi are based on using SIP via IMS over an IPSec tunnel. The IPSec tunnel to the carrier is the VPN and there's always one.
VoWi-Fi could theoretically go through another VPN but it would need to support sending IPSec traffic through it which is not usually the case. You can't trivially send IPSec through another VPN. Linux kernel doesn't support nesting IPSec itself and it causes MTU issues when doing it multiple machines / virtual machines.
Connectivity checks are optional and inherently need to check the underlying networks. NTP is UDP and correct time is required for certificate verification including for a VPN so Android has it bypass the VPN, but we don't use NTP and we don't have our HTTPS network time bypass the VPN. There are also the DNS requests to the DNS resolver provided by the network in order to do these things and to connect to the VPN server that's being used.
None of this is a leak but rather just how things are designed to work. It's not possible to send VoLTE through a VPN and VoWi-Fi would normally break, although it is technically possible for the VPN and the IPSec tunne lto be set up in a way that cooperates and manages to work with some types of VPNs but not most. It definitely can't go via Tor which can't even handle UDP.