This needs to be addressed asap. As the OP stated, this has worked for years until iOS 15 (to my knowledge as I've just recently discovered this loophole). As for Safari on MacOS, I cannot validate that claim since I haven't used Safari as my primary, goto browser for many, many years but for iOS, it's seemingly the only good choice because of good adblocking extensions (other iOS browsers, minus iCab lack adblocking extensions). On MacOS: Firefox and Brave on MacOS DO NOT bypass proxy.pac, blocking websites specified by the proxy's ACL, as expected while Safari on MacOS DOES bypasses proxy.pac. On iOS: Firefox, Firefox focus, Safari DO bypass proxy.pac (my guess is because Apple forces developers to develop browers using Safari's rendering engine). We use a proxy to help stop tracking at the OS level so that all traffic filtered. All other apps that access the internet are filtered. My testing has concluded this issue is specific to only Safari across both platforms most likely due to Apple's implementation of Private Relay. You'd think the issue would be resolved if Private Relay is disabled but the setting (enabled or disabled) has no effect. I believe this is an issue (or bug) with Private Relay. Disabling Private Relay should address Safari bypassing proxy.pac but it doesn't. What I am unable to confirm, however, is whether or not all Safari traffic is directed to Apple's server even if Private Relay is disabled. Seems plausible because a cross reference with Squid proxy, it can be configured to ignore ACLs and provide direct connections to website (meaning all requests can be direct to proxy server and proxy will ignore ACLs). If anyone can shed some light on that, please do. For consideration, Safari extensions, such as 1Blocker, can fill in the gap here.