Update: I just noticed that in https://developer.apple.com/forums/thread/128502 you wrote that "Your app can present a UI to control your VPN but there’s no requirement to do so", so it seems to be possible to control the connection from the app. How can it be done without the NETunnelProviderManager of the container app?

In the current situation the container app is used to personalize the VPN connection (i.e., it receives additional payload data from the admin). For security reasons this additional data MUST NOT be provided by the MDM. (This is a legal requirement we cannot work around.) Additionally, the container app shows status information from the Network Extension that goes beyond connected/disconnected. According to my understanding, that's precisely what provider configurations, and sendProviderMessage of NETunnelProviderSession are for. Now, I could try to mimic functionality with shared control files or shared keychain entries, but this makes the architecture more complex and most likely also more fragile. My expectation is that choosing a "Per-App VPN" over a "Device VPN" makes things more secure and more robust.

Yes, as I wrote above I refer to an "iOS app". Which means I cannot use the forAppVPN() static method which is unavailable on that platform.