Beware that Little Snitch and other similar network filter extensions leak your IP address to the remote server even if there's an explicit block for that server.
The blog post is mentioned in the first linked article. Needless to say I fundamentally disagree with Apple's decision* - If I explicitly install a firewall, I want it to actually function like a firewall and not let some packets through. The overhead explanation seems a bit like a stretch.
* It's actually not clear whether this is a feature or a bug. Apple never responded to the bug report (FB12088655).
Yep. It's not/wasn't a VPN or DNS proxy but more of an host-side application firewall specifically to control apps' use of outbound connections. If you need pristine infosec, then you need something else and probably public WiFi too.
I used to use LuLu and Little Snitch but LuLu nondeterministically dropped packets and connections causing ssh to drop and navigation problems in the browser, so I had to remove LuLu.
Perhaps just VPN + little snitch is your best bet if you're still worried