The linux kernel has a built-in firewall, and provides iptables to configure it. Firewalld is also installed by default at least on Fedora, and UFW for debian-based.
Unless this is just a battle of semantics on the fact iptables/firewalld/ufw are user space apps.
I think the main gripe is Google's lack of API to access a firewall. It would make sense for the kernel to provide that API and leave the UI to user space apps.
Edit: and to clarify, you can have a user space app on Android to configure a firewall but they will either require root or a VPN-based solution like NetGuard.
Unless this is just a battle of semantics on the fact iptables/firewalld/ufw are user space apps.