Proton VPN Android App Privacy firewall
Trackercontrol uses a similar feature to implement a VPN to nowhere or loopback, to gain network access control over the android phone, then it can control on a per app basis what each app has access too via the network. Proton could essentially gain privacy control of all apps, preventing vanilla users from making mundane mistakes in granting access to privacy to sub-standard apps. Require users to grant access to a per app basis to a per dns(with explanation) for each app.
This could be integrated into the VPN app, so if a user uses an actual VPN, it would be no additional resources.
Obviously a hefty disclaimer would be needed to let users know that disabling network access could possibly break the app, to any particular, or all connection attempts. That is just want popup to scroll to the bottom and accept at the beginning.
The hardest part to figure out is what system access is required, and not required. app stuff should be easy to figure out based on the dns