> For example, you can't locally develop a VPN app until you ask Apple permission to develop a VPN app. Almost certainly this is to appease China, which I find particularly egregious.
Can't you manually add a vpn without an app? I haven't needed to configure this myself but presumably if you're bundling your own vpn app you can do the manual configuration in settings which is significantly easier.
That only works if your VPN uses one of the 2-3 standard protocols supported by iOS itself.
If your VPN uses a different protocol, you must (with an entitlement) develop an app that gets to execute its code for every packet sent and received. For example, if you want to create a "VPN" that sends and receives packages by audio like an oldschool modem, or if you want to implement the WireGuard protocol, or if you want to implement a dns tunnel, etc.
The good thing is that any random shady app can't just start hijacking and intercepting every network packet for the entire device. The bad thing is that it makes difficult as an outsider to contribute to open-source VPN apps, since you don't have access to the entitlement (which ultimately requires access the the private code signing keys and provisioning profiles for the developer that DID receive the grant (and the debug device must also be registered there)).
Can't you manually add a vpn without an app? I haven't needed to configure this myself but presumably if you're bundling your own vpn app you can do the manual configuration in settings which is significantly easier.