You suggest installing userspace apps to control system software that might run in a privileged context. NoRoot Firewall, for example, doesn't control iptables, it just pretends to be a VPN server and privileged software, I assume, can bypass it.
Yes, I'm fully aware of this. There's also the problem of having a closed source baseband processor in pretty much every device.
But bypassing these mechanisms is a decision they had to make. If they're just lazy or incompetent, these userspace apps should be sufficient as a mitigation.
According to the explanation about permissions within NoRoot Firewall itself, any app with the 'Internet' permission can create connections to bypass the VPN. This is how NoRoot Firewall itself works (else the filtered traffic would never escape the app/vpn).
