Thanks everyone for the information. Putting some more pieces together, it seems:
1. vpnd is used for Multiportal functionality
2. Multiportal functionality is enabled if a) Identity Awareness is enabled and/or b) the Gaia portal is configured to use 443. I base b) off of a statement in sk115732:
3. I have Identity Awareness enabled on this gateway and 443 is used for the Gaia portal. Even though I am not using captive portal or usercheck on this gateway, Multiportal is enabled, though only one portal configured:
4. If vpnd is running (due to the above circumstances) it will still listen on traditional vpn ports (e.g. TCP 500) even though vpn blade is not enabled (this seems dumb, but is what it is).
Based on this sleuthing (and other similar rabbit holes I have gone down) I'll say Check Point's documentation on services/daemons and network ports used by products has improved, but there's much room for improvement. In the regulatory world that I live in (and I'm guessing many others reading this) we are required to have detailed documentation of running processes/services and network listening ports on critical systems. If there were better documentation around this, it would have saved me a lot of time.