Maybe they need something that works without root and IP space allocation. I like WireGuard and use it myself but it is a bit of an installation compared to binding a port
Not a security expert and also curious about implications:
I always considered it the best solution to have both: VPN encryption and TLS encryption over the VPN. Different OSI Layers. Different Attack Surfaces.
Not sure if that is a recommended pratice though (see initial remark ;) )