what gets bypassed with established TCP connections is the firewall rules, as an optimization for reducing CPU load on firewall machines. That's TCP connections, not routes. Routes must involve routers unless there is direct connection, (or faking of direct connection through VPN bridging or something like that)

Nope, you can always source route a packet. Unless a host along the path filters them. However, in the case there is nothing to stop a application from source routing directly to the firewall and bypassing the router. However, the application would have to specifically do this as it is not done automatically.