on paper (Android 8 and up) has the always-on type VPN that blocks any network connection not using the vpn (disallows bypass). Didn't poke it yet how it works if multiple apps create VPNs, I assume only one VPN of this type can be active
The single app restriction is a consequence of how the API works, but the always on VPN doesn't prohibit system apps from binding to an interface and bypassing the VPN configuration.
This kind of makes sense, you probably want a modem manager to talk to the modem interface directly, but it can be abused by data hungry manufacturers and perhaps Google.
