How to permanently block app's internet access on LineageOS without Magisk and all that stuff

Every installed package has its own Linux uid and gid. The idea is to find that uid and use iptables to block any traffic coming from processes owned by that uid.

Enable developer settings.

Enable USB debugging (adb) and rooted debugging.

Attach your Android phone to a computer via USB cable, verify that device is detected by running adb devices.

Run adb root, then adb shell.

Then, on the device, run cmd package list packages -3 -U to see list of packages and their uids.

When you've found the uid you were looking for, add the following rule on top of the OUTPUT chain (replacing $UID with actual number):

iptables -I OUTPUT 1 -m owner --uid-owner $UID -j DROP

To make it persistent, use a technique described here.

Don't forget to disable rooted debugging when you're done.