Not a security expert and also curious about implications:

I always considered it the best solution to have both: VPN encryption and TLS encryption over the VPN. Different OSI Layers. Different Attack Surfaces.

Not sure if that is a recommended pratice though (see initial remark ;) )

Maybe they need something that works without root and IP space allocation. I like WireGuard and use it myself but it is a bit of an installation compared to binding a port