There’s 2 issues here:
- The VPN apps not implementing “killswitch” supported by OSes (regardless of whatever valid justification).
- This, presently, is PG’s minimum criteria for recommended VPNs.
- The VPN apps not being able guarantee that no traffic will leak (which they can never, unless they have privileged access, which they don’t on most OSes including Android and iOS).
Issue #2 on Android, for instance, is a limitation stemming from sandboxes an app might be subject to.
Both issue #1 & #2 are a genuine concern, if your threat model says, “Use VPN to hide traffic from ISP”, when no such thing is possible without installing VPN software on the router & hoping the router itself does not have “holes”. This puts in to question the 4 points PG today presents as justification for using a VPN, which are:
Should I use a VPN? Yes, almost certainly. A VPN has many advantages, including:
- Hiding your traffic from only your Internet Service Provider.
- Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
- Hiding your IP from third-party websites and services, helping you blend in and preventing IP based tracking.
- Allowing you to bypass geo-restrictions on certain content.
Point #1 is not possible on some platforms (like iOS and Android), either due to missing implementation on the VPN provider’s official client or due to the OS not extending such guarantees to userspace (as in the case of Android and … iOS?).
None of the recommended providers meet Point #2, but may be, there are other providers that do: Clarification on "torrenting" in the VPN page · Issue #3176 · privacyguides/privacyguides.org · GitHub
For VPN client apps, Point #3 (hiding client IP from 3p apps and websites) only holds if the providers implement the OS-provided killswitch.
Point #4 is debatable as some services know VPN IP ranges and will not let you access geo restricted content. Usually, residential proxies are needed to bypass geo-restricted content, but those have nothing to do with VPN providers themselves, and rather involve a very shady network of operators that run proxies on compromised IoT and other Internet-connected devices like Projectors / TVs / Streamboxes / Access Points / etc. Not anything that’s ethical by any stretch of my imagination, but YMMV.