Let’s think it through:
sys-net is a HVM with direct access to PCI devices (e.g. WiFi) and
naturally an internet connection. It will see all traffic. It can
also enforce firewall rules like any other proxy qube that has
qubes-core-agent-networking installed.
Your sys-vpn’s job is to create an encrypted tunnel to a specific server
and route all traffic through that tunnel… so now ideally sys-net only
sees encrypted traffic to your VPN provider and nothing else.
To make sure your sys-vpn doesn’t leak clearnet traffic when the VPN
tunnel is not active you define firewall rules for sys-vpn to make sure
sys-vpn can only ever connect to the VPN server.
If you connect your sys-vpn directly to sys-net, it is now sys-net’s job
to enforce those rules. Is that a good idea? No it’s not. sys-net should
be extremely untrusted. It’s an internet connected qube that can also be
directly accessed via the PCI bus. If an attacker would manage to
compromise your sys-net they could easily disable iptables (aka the
firewall) in sys-net and now it no longer enforces the rules of all the
qubes directly connected to it.
If you however have a sys-firewall qube between sys-net and sys-vpn,
that firewall qube will enforce the rules for sys-vpn. Even if your
sys-net get’s compromised it will only ever see encrypted traffic to
your VPN provider because that’s the only traffic sys-firewall will let
through.