It's somewhat unintuitive that a virtualized guest can circumvent the host's firewall/network stack when the guest doesn't have an explicitly bridged or passthrough'd physical adapter.
As for the parent, if it's a Microsoft product running on Windows and Windows has a firewall, I'd expect it to be an effective firewall, at least for the things Microsoft gives me.
Windows while Hyper-V is enabled runs atop Hyper-V VMM as a VM, same ways as Linux running as Xen Dom0.
WSL2 uses Hyper-V, so Windows running WSL2 is running on Hyper-V, not bare metal. Being a different VM than Windows “Dom0”, Linux Kernel in WSL2 would have direct connection to Hyper-V virtual ethernet switch. I think that’s what is happening.
Exactly this. If you're running WSL2 then you're in Hyper-V mode, which means Windows itself is also running virtualized. The WSL VM is a sibling of Windows on the hypervisor stack, not hosted inside of.
As for the parent, if it's a Microsoft product running on Windows and Windows has a firewall, I'd expect it to be an effective firewall, at least for the things Microsoft gives me.