I have uploaded screenshots of my setup. I use PIA Wireguard VPN. I am unsure why my policy would put other devices under VPN when not specified in the policy to “Use VPN”. It gets noticed by me and my family when we start getting captcha prompts on Google searches. I check the ip and its on VPN for some reason.
A reboot does resolve the issue for the time being. I cannot see anything in my settings that would be the issue.
I do have a custom firewall rule (last screenshot) to add Killswitch to those devices as your built in feature blocks open internet even when allowed by policy.