How do you do that in Windows? I never saw any ability to do firewalling by network adaptor.
You can limit any firewall rule to work on one or more interface types on the Advanced tab of the rule's properties. This isn't quite as good as specifying the adaptor if you have really complicated networks, but it does the trick for 99.9% of cases. The three interface types are (as copied from the help file for the firewall):
Local area network
The rule applies only to communications sent through wired local area network (LAN) connections that you have configured on the computer.
The rule applies only to communications sent through remote access, such as a virtual private network (VPN) connection or dial-up connection that you have configured on the computer.
The rule applies only to communications sent through wireless network adapters that you have configured on the computer.
So for my example, if I don't want Steam to download updates through my work's VPN then I would turn off the remote access interface on its rule. This does not change the routing, so if I have connected the VPN then Steam simply stops being able to access the Internet. This suits me fine, but if you wanted Steam to continue downloading with the local network while the VPN was active then you would have to fiddle with the routing. Unfortunately, I don't know of any way of doing this on a per-application basis. You would have to set the routing for the Steam servers by IP address.
When the VPN disconnects, any application that was only allowed to access the remote access interface would similarly lose the ability access the net, preventing those pesky leaks. This is not as easy as you described on Linux, as you can't change the default settings for the interface. This means you have to manually change each rule to disable the local area network interface to ensure everything has to go through the VPN. This isn't so bad, because Powershell comes with a lot of firewall manipulation commands. I haven't needed to use them yet, but I do see interface types mentioned when I did a man *firewall* (which shows all help topics containing the name firewall). You can use this to make a bulk change and then manually set the VPN rules to allow the LAN interface.