In order to obtain the external IP, Surge must communicate with an external server to obtain the real IP address. This communication process has nothing to do with the proxy server and must be requested directly; otherwise, the obtained IP address will be that of the proxy. This is also unrelated to whether system proxy and enhanced mode are enabled. There is no difference between using TCP or STUN/UDP.
In this case, IP address leakage can only occur by observing data packets on the link. But if attackers can already access data packets on the link, obtaining device's IP address is easy for them without such complexity.