> In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.
Both (iptables/nftables and VPN APIs) have to be enforced by the Linux Kernel, which is subject to the same "Androidisms", if that makes sense.
root, in fact, opens up a gaping hole in that, it totally compromises Android's security model. IMO, it isn't worth to root Android just to run iptables (just because it seems like iptables is what makes a firewall).
IMHO Android's security model is incredibly flawed anyways. I don't even need root to access stuff I shouldn't have access to on my Mediatek based phone because the firmware has tons of gaping security holes anyways.
I think device you don't have root on isn't really yours and should be treated as a lease.
But you are right, when Wifi/Data is on at boot even the -tables might not get updated fast enough so stuff might get through.
Ah that's why the premium stuff is now free. I was wondering. Let's hope it's not the first sign of enshittification.
> What do you mean by a "real" firewall?
In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.
It's a sad state that you cannot even set a static IPv6 on Android without root.