This reminds me of the old saying that it's impossible to work within an infected system to clean it --- and now that corporations have been "infecting" systems with such telemetry/spyware by default, that's even more true.
I believe Win10 was the first to do something like this --- it ignores the hosts files and firewall for certain hardcoded domain names and IPs.
I built something similar to this[1] for when I'm dealing with hosts I don't have complete control of -- to block outgoing connections. Now it seems there might be a more widespread use case.
Even an external firewall can't easily block everything. Just send telemetry over port 443 to an AWS server and most can't block it. You can't trust a device that need an outgoing firewall.
I believe Win10 was the first to do something like this --- it ignores the hosts files and firewall for certain hardcoded domain names and IPs.