Even when the device is locked, the "Active Apps" menu allows anyone with physical access to see the apps running in the background and also terminate them, including VPN applications.
I consider this an issue as it might lead to details about the owner's browsing / communications / app usage activities being exposed.
For instance, an adversary with physical access, knowledge of the owner's identity and access to the network the device is connected to (think law enforcement) could obtain this data by simply analyzing the network traffic originating from background activities, without having to compromise the device or requesting any data from the VPN provider.
Given how there is, besides a negligible convenience benefit, no reason to be able to terminate running apps when the device is locked, I think this should be fixed ASAP.