Is that the point? VPN have to be router based, not on a device by device basis?
I did bookmark a guide to installing ProtonVPN on the router, but I didn't want to go that far. It's something I use once in a while.
Regarding "the point": no, VPNs need to run on the most suitable device, and consumer-grade routers are not such devices, due to a weak CPU that will limit the speed. Even on a Linksys E8450, Wireguard will saturate the CPU with only 150 Mbps of traffic under ideal conditions (i.e. no small packets), and OpenVPN is even worse. An Intel NUC might be a better place if you want something centralized.
Regarding the interaction with mwan3: it is still not clear (because "Is that the point?" can be interpreted either way) what exactly you were trying to do.
If the VPN is terminated on a device other than the router, it should just work.
If the VPN is terminated on the router, despite the negative recommendation above, a bugfix is needed for the mwan3 package. Until the maintainer develops full understanding of what's going on, you have to put a workaround in place. The workaround consists of this iptables rule:
iptables -t mangle -I PREROUTING 1 -m comment --comment "Do not inherit the mark of encrypted packets" -j MARK --set-xmark 0x0/0x3f00
So, maybe it should be asked: Is this thread OpenWrt-related, if so, can you clearly explain how?
It uses the mwan3 policy you configured - just like any other client would. Nothing special or magical overrides your router settings, unless you configured that client to be special somehow
This statement is unclear: "and if privacy is maintained if/when that happens"? I surmise you're asking about Tor and ProtonVPN - I don't understand how that is OpenWrt-related - but I'm certain nothing magically changes with the program installed on your phone/tablet/laptop