Hello!
Yes, there is a small likelihood that leaks will occur: when you restart Bluetit, first Bluetit stops and the previous firewall rules, policy settings included, are restored. Then Bluetit starts and Network Lock rules are enforced. The time between those actions varies from system to system, but in general a few tenths of a second are required. If, during those tenths of seconds, a process manages to create a new socket and send out data, or use a pre-existing one whose communications did not "time out", you will have a leak.
A safer approach is to disconnect and reconnect with Goldcrest. By using Goldcrest to send commands to Bluetit, the persistent network lock is not disabled at any stage: the rules are of course changed, but the whole process is carried out while maintaining the "drop" policy.
Kind regards