When the app is running, it's simple to communicate the user's list of blocked hosts to the network extension through XPC.
But from the documentation, it's unclear to me how the extension should handle things after e.g. a reboot. If I understand correctly, the extension is loaded by macOS automatically, even with no user logged in yet. However, it's not clear what state is persisted. Probably none.
What would be the preferred method to reload the user's custom rules after a reboot, before the user logs in? Simply a file somewhere (where?) on disk that the extension opens and reads? Something more elegant? Or is XPC through the main app (and waiting for an user to log in) the preferred method?