If you have to override what the application asked for you have already lost (in that you are using an untrustworthy application, and worse, insist on combining it with anything else). You need to recalibrate your expectations to what open source means.
Just turn off WiFi if you are so inclined. Mac spoofing alone does not do much good - it’s a gimmick.
Again, you already lost with using untrustworthy applications in the first place.
Of course it has a normal firewall.
Having to mess with what individual apps are allowed to do like is fashionable on Android… again, you already lost by putting yourself in that situation.
That one is pretty basic, for sure. Speaking as an actual developer.
Now this actually isn’t half stupid. But i know too little about the architecture to know if that could be done properly or would just be a circumventable gimmick.
Sooner or later i will revisit cellular protocol logging and we might be able have something akin to https://play.google.com/store/apps/details?id=de.srlabs.snoopsnitch&hl=en&pli=1
Though many of the problems that’s originally built to guard against are actually solved [for modern technologies]. The question is what remains.