This is great but too big of a hammer for most use cases. What I really want is a per-application firewall.
For example, say I would like to install a photo editing application. It would need access to my photos. That is fine, so long as it is not allowed to connect to the Internet (or any other network). There is currently no way to ensure this.
I use little snitch for this, but I agree, a big hammer, and likely more hoops for regular developers to jump through. Notarisation, signing, forced developer keys...
I use Little Snitch on macOS, but it is not available on iOS, so far as I know. Normal apps on iOS do not have enough visibility into the system for that.
Android exposes a soft VPN API that firewall apps can use to block network traffic for certain apps in certain scenarios (say, no Google Play updates when on mobile data) with apps like Netguard [1].
Does iOS not expose such functionality? Surely there's some kind of VPN API?