I suspect the reasoning is to prevent malware/spyware from setting up an always-on VPN without the user’s permission (i.e. the recent Facebook/Onavo scandal). Without using NetworkExtension, a kext is needed (which now require fairly obnoxious user consent). And using NetworkExtensiom essentially requires Apple’s approval.