at the end of the day, it looks like the issue is device vpn profile vs user vpn profile
device vpn profile does NOT load routes. when using L2TP VPNs with 'alluserconnection', during the control-alt-delete screen when you connect to this vpn it will use a device vpn profile.
after the user profile loads, it will use a user vpn profile, and this does use (and loads) the routes.
I don't fully understand the details of how that transition works.
Microsoft said one solution is to not use L2TP. Also, PROPERLY use device VPN profiles (i.e. in your VPN architecture design) will prevent this issue. Using additional routes with L2TP vpns in the pre-logon environment (which is a device VPN profile) is not supported.
At least - this is my current understanding.
Again, here's the link I was given. This is more specific to always on VPN, but it's not ONLY for always on vpn. The info for device vs user vpn is still very relevant.
https://learn.microsoft.com/en-us/windows-server/remote/remote-access/vpn/vpn-device-tunnel-config