Dan,
I hope all is well. I am unsure what Show/Episode you are watching and referring to specifically, so if you want to let me know as a follow up, I can answer the first part of your question more directly.
Having said that, GENERALLY, the way that an App-Triggered VPN profile works is as follows:
VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app.
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
So, this is not really a mechanism that would be used to limit the amount of applications that could be used, BUT RATHER is the trigger that causes the VPN to connect automatically.
If you wanted to allow or block certain applications, then a policy based solution such as APP LOCKER would be what you will want to explore.
Take a look at the following link:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-AppLocker
Specific to part 2 of your question, about whether using Virtual Box, or some form of virtualization solution to run one or more VM's to give you a place to try things out, that is a great idea, and does help you to avoid issues and concerns that may arise if a command or program does something to your machine.
I hope that helps to explain what you were asking about.
Good Luck !!
Cheers,
Adam