How to force geckoview to use a dedicated network connection

On Android, I have a private VPN connection that I can identify via the ConnectivityManager (Network Request Transport Type: TRANSPORT_VPN, removeCapability: NET_CAPABILITY_NOT_VPN). It does not use proxy authentication.

In my application (which uses geckoview as browser engine) I have registered a NetworkCallback that binds this network to my app with every onAvailable() call using the bindProcessToNetwork() method.

This works fine - geckoview then displays content that is only available via this VPN connection (and not via the public Internet).

However, geckoview seems to be able to establish connections that are not accessible via this VPN connection (normal public content). Since I want to prevent this, I am looking for a solution that prevents connections over the public Internet.

Does anyone have an idea how to do this, or a link to an implementation?