It only blocks some of it. If you use no root firewall you'll see even the ones you set not to use background data STILL try do it regardless because noroot firewall logs the attempts to connect to the internet and show it happens during periods when the phone was not even being used and was on the lock screen.
I do not believe any of my Android based (pay for) VPNs have firewalls. There is a kill switch feature but I do not have it activated.
No. Not using yet because that's something that Android should provide by default, without needing any 3rd party stuff. Because Android is Linux and Linux has firewall built right into it's kernel (it's netfilter component and corresponding userspace tool iptables) this is something that Google should expose as native setting for users. Hopefully in the next coming Android 9 aka "P" version where (finally) users can also change global DNS settings too and not just for Wifi which is stupid. Something, that Google should have done also long time ago. There really should not be marketplace for 3rd party apps for simple thing like that like there is now ... EDIT: And if there is any Google engineer readings this: Make it like this: Settings -> Firewall -> "Inbound default policy" and from there either "Allow" or "Drop" Settings -> Firewall -> "Outbound default policy" and from there either "Allow" or "Drop" Settings -> Firewall -> Applications which show list of all apps and for each app choice either "Allow" or "Drop" for inbound/outbound so that individual apps can override default policies. Thats it
Unfortunately using any non-root firewall blocks you from using a VPN. And a VPN makes more sense for a thing that is constantly connected to insecure network. (Mobile, not WiFi)
For those interested GlassWire for Android now contains a Firewall. 30 day trial, 5 bucks US per year. Available on the Google Play store.