[ignoramous]

> In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.

Both (iptables/nftables and VPN APIs) have to be enforced by the Linux Kernel, which is subject to the same "Androidisms", if that makes sense.

root, in fact, opens up a gaping hole in that, it totally compromises Android's security model. IMO, it isn't worth to root Android just to run iptables (just because it seems like iptables is what makes a firewall).

[Joe_Cool]

IMHO Android's security model is incredibly flawed anyways. I don't even need root to access stuff I shouldn't have access to on my Mediatek based phone because the firmware has tons of gaping security holes anyways.

I think device you don't have root on isn't really yours and should be treated as a lease.

But you are right, when Wifi/Data is on at boot even the -tables might not get updated fast enough so stuff might get through.