I mean, configure Macrodroid to create an alert based on your criteria (time, person, etc.) and then make sure Macrodroid can interrupt your DND mode(s).
For the "DND override" part, this is done in the phone's DND settings rather than Macrodroid. You just need to allow Macrodroid to interrupt the mode you have set.
Usually within 24 hours or so. Security updates, on the other hand, are released months before they are on regular Google Pixel releases as GrapheneOS doesn't adhere to the embargo period that other manufacturers agree to.
If you use an app like RethinkDNS, it will allow you to run multiple, simultaneous VPN connections and then choose how you want to route your traffic.
I have the same situation as you. I run two VPN connections. One to home and one to a VPS. I route all traffic to 10/8 to the home VPN, certain apps to my VPS VPN and then the rest of the traffic via the local connection.
RethinkDNS also does local DNS filtering and allows you to specify which DNS service to use. I run my own DoT service that backs off to the PiHole at home.
Not really. They develop for Pixel because those devices have the most secure hardware available for developing a modified Android OS.