I have traditionally used AFWall+, which requires root, on my phones for a firewall. I've used it in conjunction with a VPN, set to automatically block apps after they are installed, and set apps to either only run over the VPN, only connect to LAN addresses, or both. I require this functionality for a couple apps (Kore being #1 as it's the remote for my TV).
Now I have a new phone and am new to GrapheneOS.
Since GrapheneOS doesn't have root (and can't get root unless I recompile myself if my understanding is correct), I can't use AFWall+. Enabling the killswitch for my VPN blocks apps from access the LAN, not enabling the killswitch allows apps to connect to the internet directly which I want to avoid.
What are my possible solutions for this?