VPN is not a replacement TCP/IP stack. I literally meant the TCP/IP stack in the XNU kernel. It might be an esoteric example but it's not that far off. DMA already forced Apple to open up browser engine layer so third-parties can now bring in their own browser engines in the EU and are not restricted to using just WebKit.
True. Will add, device must be supervised to use VPN always-on which is possibly sensible albeit annoying (would have to reinstall iOS and set up as new I believe).