mitigate DHCP cloaking attack
https://www.leviathansecurity.com/blog/tunnelvision explains in detail how a new vulnerability can be used for targeted attacks on unsecure networks such as public WIFIs. As a result traffic can be routed outside of the VPN tunnel.
The article also contains a section about possible fixes. The most secure solution for Linux-based OSes would be to use network namespaces. As a side affect this approach would allow us to implement the basis for per-app split tunneling, a feature that Bitmask Android also supports.
Another option would be to tweak our firewall rules for Linux + MacOS (and to implement them for Windows at all), as described in the article.