As far as I understand it, route scope is specified in the server.conf file, like this for example:
# Add route to Client routing table for the OpenVPN Server
push "route 10.8.0.1 255.255.255.255"
# Add route to Client routing table for the OpenVPN Subnet
push "route 10.8.0.0 255.255.255.0"
This tells your VPN gateway exactly what routes to push to connected clients.
If you're concerned about some malicious client configuring a static route at the client side to send additional traffic through the VPN tunnel, you cannot stop this, unless you have administrative control of their machine and can prohibit them from manipulating the routing table directly.
However, you can do though is ensure that your firewall on the VPN gateway is configured to only permit the traffic that you want to pass through.
Assuming you're using just a regular linux box with the typical iptables/ufw as your VPN gateway, you would just need to make sure those are configured with specific rules identifying exactly what traffic should be allowed, and then everything else would be blocked, so even if a user does send some unexpected traffic over the tunnel, your gateway just drops it.
