To your point when I recognized the proxy problem I said (here: SAFE Network Client Testing Commences - #400 by janitor) that the testing was rolled out without regard for the clueless.
It would be nice to know how the proxy on localhost 8101 actually works, or, why there is a need to allow traffic from localhost:8101 to everything. Preventing traffic to flow outside of the safe network DNS would prevent these leaks.
I said the same at the link above.
The reason is visible from the rule, to not make your FF .SafeNet-only.
It didn’t have to be that way. But it could have been explained, if attention was paid to comments and suggestions from last November. Then people could have used Tor or adjusted the rule if they wanted to.
The existing rule can be adjusted manually entered in the browser and narrowed down to send everything to localhost:8101. Then nothing outside .safenet would work.
A simple workaround for the less tech savvy is to use Tor. That’s probably all that needs to be done. Tor can also anonymize DNS lookups if I remember correctly.