Since you're in the security team, could you comment on why Android requires you to set up some sort of lock security just in order to have a VPN configured (even if it's not in use)?
That never made any sense to me. I believe it assumes corporate use of a VPN, which makes sense that it should be secure (you don't want an unidentified party with free access to your company's internal network), but for many users it's just a way to encrypt potentially unsafe connections, such as when you're connected to some random WiFi hotspot while travelling.
And even if you assume a sensitive VPN, the user has the option of not saving the password, so that any attacker would be unable to connect to it anyway.
In any case I don't think it's the VPN setting's position to be enforcing security on domains outside of its control. That'd be like Android forcing me to set a PIN just because I have the Facebook app installed - "you probably have private data in that app, so we're protecting you from yourself".