Directly without root - no
vpn prescribes routes, to bypass which you need root access
in theory, if the smartphone already has an application installed that works at this access level and can bypass vpn (and almost certainly Google services can) and most importantly, it can proxy requests (almost for sure Google will not allow), then probably you can.
How are your dns requests going? via vpn or how will the system set up? otherwise, in the latest versions, even these settings are hidden and disconnected from the user. If dns is used from the provider, then a malicious application without root access can send such requests to its server and proxy the Internet through them (there are implementations of such proxies)
ps I wonder what will happen with an open udp connection behind nat to a smartphone, at the time of the vpn connection, will this connection remain open or close?

Theoretically, it is always possible, because even if there are no documented features, exploits and undocumented features can always be. And in the case of android, they are more likely to be than they will not be.

Of course it can :) after all, it somehow got into the system, which means that it is either already compromised (and the malware has a root) or it entered the system along with some kind of appliquha (and it has applicuha rights, which it will strive to increase in different ways.