Sadly all real firewalls need root. I was using AFWall+ for a long time it has neat controls for every app to allow or deny Wifi, Cell or LAN (if you have). It is a iptables/nftables frontend so you can customize the rules to your heart's content: https://github.com/ukanth/afwall
Works from Android 2+
Without root only VPN solutions like Adguard are available.
EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.
I thought parts of the Android OS can by-pass the VPN so the firewall becomes ineffective against blocking Google, OEMs, and others that have root. Wouldn't the VPN API being used as a firewall also prevent one to use a VPN client at the same time?
> In my experience the "block all non VPN traffic" options in Android don't work reliably. iptables does however.
Both (iptables/nftables and VPN APIs) have to be enforced by the Linux Kernel, which is subject to the same "Androidisms", if that makes sense.
root, in fact, opens up a gaping hole in that, it totally compromises Android's security model. IMO, it isn't worth to root Android just to run iptables (just because it seems like iptables is what makes a firewall).
IMHO Android's security model is incredibly flawed anyways. I don't even need root to access stuff I shouldn't have access to on my Mediatek based phone because the firmware has tons of gaping security holes anyways.
I think device you don't have root on isn't really yours and should be treated as a lease.
But you are right, when Wifi/Data is on at boot even the -tables might not get updated fast enough so stuff might get through.
Without root only VPN solutions like Adguard are available.
EDIT: if you want neat stats: Glasswire has an Android version. I have only used the beta so I have no idea about its current state. Might be worth checking out though.