I believe you can still block the specific destination IPs with pf using murus if you want, but yes it's quite bothersome.

You can find the full list of apps that bypass it here: /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist under ContentFilterExclusionList.

I haven't tested yet, but you can apparently also remove from their hidden traffic list via recovery mode:

https://tinyapps.org/blog/202010210700_whose_computer_is_it....

But regardless, it's absurd that they're doing this and opens up an opportunity for malware to bury themselves undetected in one of these processes.