It seems to me Proton’s macOS client leaks because macOS’s Network Extension model doesn’t give third‑party VPNs full, pre‑boot, system‑wide control. Proton chose to rely on NE alone, without adding a pf‑style firewall layer that could close many of those gaps. This is what Apple seems to push everyone towards too.
Apple’s architecture makes it nearly impossible to make a functioning kill switch. Other parties seem to rely on pf. While this may allow for some stronger enforcing, it seems hacky and not a durable solution, and I have to agree with @dngray that it is fairly clear that Apple is pushing everyone to NE and pf will not be possible in the near future.
Now what would be interesting is, if someone can actually pin point issues in the way that proton uses NE. If that is the case I would like to specifically zoom in on that.