This should be fixed at an even higher level, and have Google force manufacturers to not add or alter the base OS for any data-gathering reasons in Android One and deny them from using the Android One brand if they do, or people will lose faith about the Android One program.
According to the statement HMD Global gave to NRK, they have already rolled out a software update to fix this issue. Of course there is almost guaranteed to be other spyware on the phone serving the curiosity of the same and different masters, like Google.
You suggest installing userspace apps to control system software that might run in a privileged context. NoRoot Firewall, for example, doesn't control iptables, it just pretends to be a VPN server and privileged software, I assume, can bypass it.
Yes, I'm fully aware of this. There's also the problem of having a closed source baseband processor in pretty much every device.
But bypassing these mechanisms is a decision they had to make. If they're just lazy or incompetent, these userspace apps should be sufficient as a mitigation.
According to the explanation about permissions within NoRoot Firewall itself, any app with the 'Internet' permission can create connections to bypass the VPN. This is how NoRoot Firewall itself works (else the filtered traffic would never escape the app/vpn).