Because netfilter folks suggested that the crash we see here could be a race condition in our hacky out-of-tree flow-offloading integration into xtables:
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=target/linux/generic/hack-5.10/650-netfilter-add-xt_FLOWOFFLOAD-target.patch;h=bda8d06b7caf49584206bbf4f6a747309f481847;hb=HEAD
So once we don't use xtables at all any more but native nftables, this codepath would no longer be used.
That's not the whole truth: we could (with some limitations) use the iptables-nft wrapper to remain cmdline-compatible with iptables while using the nftables backend in kernel. This is what all other distributions are doing if you use iptables executable. However, I'm not sure that covers really all features of iptables (ie. also ipsets, wild-cards in interface names, ...), I guess no...