I don’t think you can draw this conclusion from this TN, and it’s more of an uneducated guess rather than a definitive thing. The beginning of that article clearly explains why Apple says it shouldn’t be used in shipped apps:
macOS implements the BSD Packet Filter mechanism. This has two expected use cases:
As an implementation detail of various system services built-in to macOS
As an advanced feature for users, site admins, and so on
It is not considered API. <…>
Network Extensions are indeed much more maintainable than PF rules for app developers as they allow you to update your extension reliably without affecting the rest of the system. This is not possible with PF because the ruleset (even with anchors) is a global state shared between everything on your computer, so the more apps relying on it the more chances that something goes wrong. I also believe macOS apps can’t manage the firewall from within a sandbox, so an app which relies on it can’t be distributed on the Mac App Store.
I’m not Apple though, so who knows what are they up to but I’d be extremely surprised if they just removed a firewall from their base system without providing an alternative. Especially given they need this functionality themselves and they know users need it as well.
I don’t think this is an issue with how Proton uses it: Why we still don't use includeAllNetworks | Mullvad VPN