Thanks for your reply Trendy,
I suspect your question may lead to the very point we need to get down into...
To use ExpressVPN or any other vpn provider without leaks, one must direct all DNS queries through the VPN. ExpressVPN further requires that DNS servers be set to google DNS (and that local DNS from ISP be blocked via no-resolve directive etc.) This config then ensures that the vpn sever pushs/translates/or replaces only these google IPs with their own secure DNS at the correct location.
If any other DNS servers aside from google are in the mix, there will be leaks. This setup using only google DNS all works perfectly with a single instance of OVPN client and I've been using this trouble free for years. What appears to be happening is that the "substituted" dns servers from each tunnel are being pushed to the wrong tunnel in a random fashion.
So, I'm thinking perhaps the answer lies in how to isolate DNS traffic between each tunnel when the dns settings for each tunnel must be effectively set to the same IP ie 8.8.8.8, or how to configure DNSmasq-full to isolate each of its spawned dynamic routing tables that manage the mangling of DNS packets in and out between tunnels, or some combination of the two.
.... but I have no idea whether this is a valid thought, or how I might look deeper into this. All ideas appreciated!