You seem to be conflating routing and firewalling/access control.
You can control your routing table using standard tools (ip route add). You can have helper applications work on it, and get hints from external sources like dhcp, where you can listen to its suggestions (IP, subnet, DNS, extra routes, and other options), or ignore them.
If you take those hints then that's your choice.
With icmp redirects you can choose to allow them or not with settings like net.ipv4.conf.all.accept_redirects.
Then as a belt and braces you have iptables. If you want an ACL on the network interface to say "DENY all traffic except from VPN application", then set your input/output/forward chains to default deny and have a rule to allow from pid=$vpn_pid. I believe you can use pid in pre/postrouting chains.
Personally when I'm travelling I have rules which only allow access to my vpn targets, and from memory just DHCP and arp. Have to temporarily disable it for captive portals but then it's back on. Sometimes a network won't accept UDP, so I generally have to tether for normal response.
If they were, it would be a simple setting to set an ACL on the network interface to say "DENY all traffic except from VPN application".