The original concept behind "On Demand" is to trigger the VPN when it's needed - specifically when specific domains are being accessed. Indeed, Apple expanded it to even include interfaces that are connected, SSIDs, etc, in a non-intuitive way.
However, what makes it somewhat more un-intuitive is the fact that these checkboxes appear in the main configuration screen for the tunnel. So, one just simply checks the boxes, thinking "I want VPN to work on-demand on all of my interfaces". Since, this feature works so oddly (compared to its name), I would recommend putting it under a separate dialog. In that dialog, we can explain what this feature does, and also allow for DNS names to be used, which is the main use case for VPN On Demand.