I highly recommended sniffing the traffic on the wire and piping it through wireshark. You can do this with a router, or a passive Ethernet tap. You’ll see a bunch of packets going to places other than your VPN entrypoint. If you use a router, you can check your mobile for leaks too. (Did you know if you have WiFi calling enabled, then your phone makes a TCP connection to a sensor server controlled by your ISP every 30 seconds? So if you’ve got T-Mobile and you’re abroad, not even using it as your default SIM, they’ll get a nice log of every exit IP you use.)
Apple’s seeming embrace of support for VPN and network filtering extensions is a red herring, because they’ll happily disable it for their own traffic.
On iOS, the App Store will skip any VPN, and similarly Apple will even block you from downloading updates if you’re on a VPN. I only realized this when I used my wireless router with VPN on it and updates failed to download.
On Mac, there are a bunch of issues, especially on first boot. It seems like the Mac will refuse to establish the VPN until it can make one connection outside of it. I encounter this when my computer wakes from sleep and the on-demand wireguard tunnel (using Cloudflare Warp) fails to send packets. I unplug my Ethernet, disable always-on, wait 30 seconds (for some timeout?), re-enable always-on, and then plug in the Ethernet and in connects. But I’m not actually sure this isn’t leaking, I need to investigate more.