This can already easily be added through third-party apps. Would a system-wide firewall be a worthwhile improvement? I suppose it would help to have it enabled by default for users who wouldn’t install a tracker firewall app afterwards.
Yes, AdGuard seems to do so and IIRC also has customizable block lists. The default includes Safari-only blocking but it is able to add a device-wide filter using Apple's API for VPNs. It seems to identify the various trackers used by the social media apps on my device, for instance.
Looks like system-wide blocking is via DNS, which would leak DNS requests to AdGuard's DNS server? The same could be accomplished with a local PiHole device.
We need a public registry of apps that embed tracking SDKs.
And iOS needs an outbound firewall, now that it is shipping an App Privacy Report.