…and sorry, in the policy with action=none you have added, change the src-address to 0.0.0.0/0, my mistake. It does not explain why the PC can bypass the tunnel, but the 192.168.88.0/24 as src-address was incorrect.
If it still does not work, consider using this way.