Private Google Access allows instances with only internal IPs to reach Google APIs via the default internet gateway. However, on-premises traffic coming via interconnect uses the VPC's internal IP range, and if the forward proxy does not have a route for Google API destinations via the internet gateway (default route), it will try to use the interconnect route, which points to on-premises. Since the proxy is configured to use the default internet gateway, but that gateway is only effective for instances with PGA; on-premises traffic does not go through the proxy's default gateway.
The issue is that the proxy's egress traffic to Google APIs is being routed via the on-premises network because the VPC's default route (0.0.0.0/0) points to the internet gateway only for instances with PGA, but for traffic sourced from the proxy that is destined to Google APIs, the proxy itself uses its default gateway which is the internet gateway. Actually, the on-premises users are using the proxy's internal IP as a forward proxy. The proxy will make requests to Google APIs.
For those requests, the proxy's VPC will route based on the most specific route. If there is a custom route for the Google API IP ranges (e.g., 199.36.153.4/30) that points to the interconnect, the proxy will send traffic to on-premises instead of internet. PGA does not create routes; it only allows the default route to be used for Google API destinations.
A common misconfiguration is having a custom route for the Google API IP range (e.g., from a previous VPN setup) that overrides the default route. Option B is correct.