Hi all, I'll try it here with more space and since my question kind of drowned in the fuzz when asking it in the matrix channel.
Could you please help me to verify my mental model?

  1. If I use Orbot as Always-on-VPN and do block connections without VPN, then no service I am trying to reach will know the IP address that my ISP provides me, but only the one of the TOR exit node.
  2. Any app in that user profile will only know the IP of the Tor entry node, when receiving packets from it's server.
  3. This is about the same when using a VPN app like Mullvad. The difference would be that entry and exit node are the same.
  4. Using this setup in graphene OS is more secure regarding IP leakage to Servers and to Apps on the phone than using Orbot and Mullvad as regular apps without the settings mentioned in 1.

Q: How likely is it that a leakage happens nevertheless, compared to the security that, let's say whonix, provides?
Q: Would you use an app on your phone that you do not fully trust when you'd like to stay anonymous? (Given you are required to use it.)

    chretsn Q: How likely is it that a leakage happens nevertheless, compared to the security that, let's say whonix, provides?

    Not very likely, but not impossible. Always on VPN guarantees that all network traffic passed through VPN app (Orbot in this case). However if the VPN app has bugs it can leak some traffic outside the tunnel.

    Note that some traffic is specifically routed outside VPN tunnel like Internet connectivity checks. This is by design to make captive portals work.

    Whonix's goal is to prevent leaks, it was designed for that and is a better approach to use Tor if leaks are the main concern. Especially if using Whonix on Qubes OS.