after more tests, it appears that the zone is partialy applied:

$ nmcli -f NAME,DEVICES,ZONE con status
NOM                       PÉRIPHÉRIQUES ZONE
WIFI           wlp3s0     home
VPN                   wlp3s0     work

but

$ firewall-cmd --get-active-zones
home
interfaces: wlp3s0

when port 9000 is open in zone work only, telnet on port 9000 from the other side of the vpn answers "no route to host"

when port 9000 is open in zone home only, telnet on port 9000 from the other side of the vpn answers "no route to host"

when port 9000 is open in zone public (which is the default zone) only, telnet on port 9000 from the other side of the vpn is ok

as if VPN was in fact in default zone…