what if a system-level (read: root) process doesn't respect your user-configured routing table? that's the real issue here. only mitigation would be to physically remove the undesirable NIC/s from the system, which is obviously impossible on SoC hardware.

It won't make a difference, the other end (gateway) will only accept vpn connections, nothing more or less. Devices that can't establish a connection with your wg/openvpn won't be able to communicate with any other device anywhere in any way period.

we're talking here about the ability to control what NIC localhost traffic egresses a device with multiple NICs—even when some of said NICs may be be virtualized, like a TUN interface for example. anything and everything else is upstream.

Why would localhost traffic be routed via non-loopback nic's. I think you are talking about something else and I am not following. Sorry.

by "localhost traffic" i've meant literally any traffic generated by a given device, its operating system, and any applications running on it, no matter the destination.