> <@cn3m:privacytools.io> Q: Leaks on Startup and update? 
> A: AFWall(yes), NetGuard(yes), GrapheneOS(no)
> Q: Leaks with low level network sockets? 
> A: AFWall(yes), NetGuard(yes), GrapheneOS(no)
> Q: Leaks with system apps like Download Manager and Push Notifications?
> A: AFWall(yes), NetGuard(yes), GrapheneOS(no)
> Q: Leaks with apps due to IPC?
> A: AFWall(yes), NetGuard(yes), GrapheneOS(yes)
> Q: Leaks with keyboard clipboard attacks?
> A: AFWall(yes), NetGuard(yes), GrapheneOS(yes)
> 
> Generally speaking all are flawed, but GrapheneOS should be relatively great if you isolate the app to a dedicated profile

AFWall+ does not leak on startup and update if you set a startup script. It's there in setting. If some body is using AFWall+ then he/she is rooted - so he can also use a startup script to disable wifi/mobile data on boot.