Another option is to disable ShellBridge by setting it to 0. However, this might cause problems with Office apps. https://support.citrix.com/article/CTX267071/password-field-not-displayed-for-published-apps-in-windows-server-2019
Are you asking about the system tray icon? It looks like it can be disabled. https://documentation.n-able.com/remote-management/userguide/Content/systray_enable.htm
I think the SDX config is stored in a database. You can use the Nitro API to query and configure it. https://developer-docs.netscaler.com/en-us/adc-sdx-nitro-api-reference/current-release/configuration/configuration
If you run Get-BrokerDesktopGroup <DesktopGroupName>, what do you see for AutomaticPowerOnForAssigned and AutomaticPowerOnForAssignedDuringPeak? You can set them to $true.
NetScalers (and all other machines) can route. NetScaler just needs a SNIP on a subnet that has a route to the VDAs. Yes, 1494/2598 from SNIP to the VDAs.
You should have an Authentication Virtual Server with SAML as one of the factors. Change the first factor to the EULA and then bind your SAML factor as Next Factor.
Or configure your SAML IdP to show the EULA.