It’s not nonsense design, since the use-case of having some devices only VPN connected and some not is pretty rare. Normally, you would use some VPN client on the endpoint in that case. I would even say that VPN policies are more or less a gimmick than a real solution - in most cases you will go with full VPN (+ excluded domains) or VLAN based VPN.
In your case, you could either go with firewall (to block outbound traffic by this MAC via normal internet) or you could think about using VLAN / different subnet for routing. In both cases, you have to dig more into networking details - but since your use-case is special, that is what you asked for.