Denying "local network" permissions is hilariously worthless. On both Android and iOS all it does is prevent software from sending out multicast packets (for things like device discovery, Chromecast, etc. that don't use DNS-SD), it can still go ahead and just start trying to iterate through the entire RFC 1918 address space and try to connect to everything on your network.
I spent a bunch of time trying to figure out how I would implement such a feature on a standard Linux system to sandbox apps on my PinePhone, but there's no sane way you can implement a standard "you can have internet access but not touch my local network" policy.
I spent a bunch of time trying to figure out how I would implement such a feature on a standard Linux system to sandbox apps on my PinePhone, but there's no sane way you can implement a standard "you can have internet access but not touch my local network" policy.