WebRTC isn’t magic. WebRTC does not bypass a VPN, nor is it the only–or even most common–way that software on your phone, Android or otherwise, can exfiltrate potentially sensitive information, intentionally or unintentionally. The way WebRTC on your phone might leak an IP is that during ICE, which is used by more than just WebRTC, the phone’s local IP addresses may be sent, and IPv6 addresses on your WiFi or cell connection may be globally unique. IPv4 local addresses will almost certainly be meaningless, private addresses due to IPv4 address space exhaustion, and any non-local address will be from your VPN gateway.
You cannot block ICE per app or system wide because it is not a system facility, and the permissions required to implement it on Android are not very specific.
WebRTC isn’t magic. WebRTC does not bypass a VPN, nor is it the only–or even most common–way that software on your phone, Android or otherwise, can exfiltrate potentially sensitive information, intentionally or unintentionally. The way WebRTC on your phone might leak an IP is that during ICE, which is used by more than just WebRTC, the phone’s local IP addresses may be sent, and IPv6 addresses on your WiFi or cell connection may be globally unique. IPv4 local addresses will almost certainly be meaningless, private addresses due to IPv4 address space exhaustion, and any non-local address will be from your VPN gateway.
You cannot block ICE per app or system wide because it is not a system facility, and the permissions required to implement it on Android are not very specific.