So far, using the stock openvpn package in Debian, it doesn't look like the Disney+ circumvention is happening for NordVPN's US servers.
I'm guessing that the NordVPN client must do it.
And if that's the case, it may merely route traffic directly through the residential proxy, and not first through a NordVPN server. Which wouldn't be good, because someone investigating the residential proxy would see the users IP address, rather than the exit IP address of the VPN server.
Well, I had only little time to dig further but I can confirm your findings that OpenVPN alone behaves as it should while the NordVPN client acts differently. However, wireshark says I am only communicating with the NordVPN server when connected through their client. I would love to know where the difference in configuration is. I always assumed NordVPN would just call OpenVPN with the public ovpn configs. They call the OpenVPN client with a config that is shortly deleted after OpenVPN starts but can be extracted when swapping the openvpn binary. It looks unsuspicious. A management unix socket is opened to control the OpenVPN client. I would like to know how the communication is configured.
I was testing "www.disney.com", not "www.disneyplus.com".
Now I always see residential proxies for US servers. Or SSL certificate failures, occasionally.
Edit: That's using either the Windows GUI client, or the Linux terminal client in Debian. Not using "Obfuscate", "CyberSec", or other non-default options. But residential proxies aren't used for "www.disney.com" or "paypal.com".
Also, with the stock openvpn in Debian, I don't see residential proxies being used for "www.disneyplus.com".
EDIT: package from https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/