I think your goal here is to send all traffic (includes internet traffic) back to the vpn gateway when the sonic wall vpn client is on. In such case we should not have the zapp tunnel on at the same time, and so we need zapp to be aware of the sonic wall vpn is on. Once zapp realized it is in vpn trusted network the corresponding forwarding profile will be applied.
Some customers will simply turn off the zapp tunnel when the vpn is on if the office network behind the vpn getaway does have a tunnel to zscaler cloud for internet access. Some customers may apply a pac file to the browser when vpn is on the have traffic to reach zscaler. It really depends on how your office network is designed to send traffic to zscaler cloud.
If you actually want to have the vpn to only cover internal traffic, we need the vpn solution to be configured to use split tunnel mode, and in the zapp portal to bypass all traffic to that vpn gateway(s). In such case the vpn and zapp tunnel will never try to cover the same set of traffic. When vpn is off zapp will cover all internet bound 80/443 traffic; when vpn is on the vpn client will pick up internal traffic while zapp will still pick up only internet bound port 80/443 traffic.
SE Manager, Greater China