If this works, then it’s okay.
Your rule and the rule(when VPN is on)
config forwarding
option src 'lan'
option dest 'wan'
option enabled '0'
will have an order to be added to the firewall, you may adjust that accordingly.
Actually, when you enable VPN, the traffic will always go via VPN. There was a bug when VPN is offline, but DNS will still go in some scenarios which has been fixed in firmware 4.2.
The killswitch is there to ensure when you turn off VPN, you will not get Internet for router clients.
So if you always turn on VPN, you can turn off the killswitch without adding the extra rules to access WAN-side devices.