Your qosify configurations would need to set DSCP using the + convention (e.g. +af41, +video) so that qosify only overrides the DSCP if it is still CS0.
With offloading, only the first packet of a connection will traverse the firewall rules, so the remaining packets won’t get marked. You can use methods used with the script below to use ctinfo to make it work however,
Yes, after the first packet, connection info is cached in the flowtable and bypasses the netfilter stack for future packets. But it seems to let the tc egress filter restore the DSCP on this subsequent packets (at least in my experience so far).