Typical mobile user with a VPN is still vulnerable as far as I can tell, because they may be disconnected while displaying a push notification, but feel free to prove me wrong: https://news.ycombinator.com/item?id=42786466
I have no idea about iOS but there have been past reports on it being extremely leaky and how apple basically white lists it's domains to bypass the VPN connection. Android doesn't suspend the VPN connection in any state, that's for sure
Android seems to disconnect from VPN when sleeping, but I see Android has an "always on" option for VPN that'll block all non-VPN traffic until the VPN reconnects. So users have to make sure that's enabled.
