Apple bypasses the VPN for their own services and data collection. That's why you can't get a real "lockdown mode" on VPN with them.
There's a documented issue with Android and the IP leaks.
I think GrapheneOS fixes this, but maybe nostr:nprofile1qqstnr0dfn4w5grepk7t8sc5qp5jqzwnf3lejf7zs6p44xdhfqd9cgspzpmhxue69uhkummnw3ezumt0d5hszrnhwden5te0dehhxtnvdakz7qgawaehxw309ahx7um5wghxy6t5vdhkjmn9wgh8xmmrd9skctcnv0md0 can confirm.
GrapheneOS adds additional fixes to VPN DNS and multicast traffic leaks that Android doesnt have. Can read more about the VPN leak blocking improvements on the VPN page:
https://grapheneos.org/features#improved-vpn-leak-blocking
For some Android traffic discussed in articles like this, they are intentional. For example: connectivity checks are just blank HTTP web pages meant for public networks to forcibly redirect connected users into their login page. On GrapheneOS it's replaced to our own rather than Google's but there's also the option to use Google's (to blend in) or disable it which the article mentions us as having. Disabling it breaks connecting to public Wi-Fi networks with a login page but the connection won't be sent out.
There are other edge cases like VoWiFi for mobile networks when calling.
