Currently the required outbound connections from the CE to the internet are listed here https://docs.cloud.f5.com/docs-v2/platform/reference/network-cloud-ref#new-secure-mesh-v2-sites
These do not include the FQDNs for bot defense like ibd-webemea2.fastcache.net.
To not need to request additional firewall rules to allow such communications, it would make sense that the CE routes these requests through the already existing VPN tunnel via its connected REs.
Some customers are not so happy with firewall rules based on FQDNs and this would shrink the footprint for the required outbound connections from the CE to the internet.