I think part of the problem here is you've made some false assumptions. All I said is that if you're paranoid you can set up an outgoing firewall to block VisibleTesla from communicating with any server other than those owned by Tesla. I never said anything about it being a consumer router firewall. There are absolutely firewalls that can permit and block ports on a per-application basis. See ZoneAlarm, Little Snitch, NetLimiter, and so on. I could, for example, make Chrome essentially useless by blocking it from port 80 and 443 while allowing Firefox to continue to work just fine on those same ports. For VT, it's only permitted to talk to the two servers/ports I noted. Literally nothing else.
What you're thinking of is a firewall that's blocking by port, which is different, though it's possible to be utilizing both at the same time.