This is some strange behavior I have since a year, but I always forgot to report it.
Some years ago my RT-AX88u was my main router/vpn server/client. But I switched to pfSense for the routing/dchp/vpn and let the AX only handle the wifi stuff.
I switched the OP Mode to "Access Point(AP) mode / AiMesh Router in AP mode" which runs great with Asuswrt.

But every time I reboot or update the FW, it starts the old VPN Server and Clients from years ago.
But there is no gui anymore to deactivate the vpn stuff. ATM i have to run the vpnclient_stop command on each reboot. (it's a single client company vpn, so it breaks the connection for all clients on the network)
I don't want to switch back to normal mode to deactivate the vpn, to not break my network (two dhcp servers, multiple use if IPs and all the good stuff). I don't have a test lab for that, it's my production environment.

Don't know if this is a "normal" behavior or a bug to run features from deactivated op modes, but maybe this can be fixed in some upcoming release. :)
No this is not typical behavior for Asus routers.
There is no expectation that this is a firmware issue.
My guess (taking your issues at face value and not something going on we are not aware of) is that the fasted fix is to do what you said you did not want to do.
Reset the Asus mode to "normal" mode. While its rebooting disconnect it from your Network and connect 1 device to the Asus.
Then once in normal mode do a factory reset and let it reboot. Then validate its clean.
Switch to AP mode and put it back on your pfSense network and move on.

for vpn clients, make sure this nvram value is blank
nvram get vpn_clientx_eas
and for servers
nvram get vpn_serverx_start

