Neither Netguard nor PCAPDroid requires a "rooted device"

Personally I do not rely solely on apps to block connections/protocols. While they may work to some extent for such purposes, they can also be useful for port forwarding, logging and packet captures with trailers/extensions

To block connections and protocols I set the device gateway to a computer running a non-corporate OS compiled by the user where the user can operate firewalls, DNS, etc. No "rooted device" needed

However... If VPN settings in corporate mobile OS such as Android can be undermined via Android "updates", as shown by this example, then it stands to reason that Network settings for a network interface such as gateway, DNS, etc. could also be undermined by "updates"

With respect to user control, privacy, etc., corporate mobile OS all suck. IMHO they will continue to suck even more as the years go by, as history has shown so far. The vendors' and users' interests on these issues are not aligned, they are in conflict with each other