Not the OP but an example of such a setup would be connecting your ios device to a router that has firewall rules to only allow UDP port 51820 (ie. wireguard) to go through. That way if there's any traffic leakage from your ios device, nothing will get out because of the firewall on your router.
Correct - however, what you are describing is a normal firewall.
What distinguishes a "slug" is that it is not on the TCP/IP network - you cannot connect to it - and it acts as a "dumb" chokepoint that cannot be misconfigured or attacked or co-opted by other actors or software.[1]
Further, it is a physical, wired device with exactly two ports so you can conceptually witness - with your eyes - how your traffic is locked to whatever VPN you may be using.
[1] Yes, of course it can but when we think of a layer 2 bridge with no TCP/IP connectivity being attacked by a remote actor ... we're bordering on science fiction. For what it's worth, the FreeBSD filesystem I use on my slugs is mounted read-only. Defense in depth.
