Your writeup is IMO much better than the way this is being reported.
FWIW, I remember reading something similar years ago (I'm not certain it was your specific post, but it might have been). It's strange to see this being described as "novel" now, unless there's something new to it that I am missing.
It's probably more straightforward to have the firewall block all traffic from using the non-VPN interfaces (ie. blacklist approach) instead. In the other thread[1] there was disagreement about whether commercial VPN services actually implement their 'killswitch" in this way. Apparently NordVPN does not (hearsay), but neither side provided a good survey of other providers.
Whoops, I posted too early in the morning, I meant to say "malicious subnet mask" :-)
Basically, the DHCP server sends a subnet mask for an absolutely huge subnet (e.g. a /2), and the route for that subnet takes precedence over the VPN route. The attacker can only intercept 25% of the IPv4 address space with a /2 but that's still pretty bad.
Cloudflare Warp is free, I think - if you create a Zero Trust Organisation for free and configure the Warp client to use it, you can use unmetered Warp+ with Argo routing without charge.
FWIW, I remember reading something similar years ago (I'm not certain it was your specific post, but it might have been). It's strange to see this being described as "novel" now, unless there's something new to it that I am missing.