Edit: Actual injection of the route appears to be done in a call to proto_add_host_dependency()
I've now traced down the appearance of a completely bogus static route to the call to resolveip done within the gre.sh that is provided for netifd. Does this tickles anyone's memory?
172.16.1.9 via <default gateway> dev <dev for default gateway> proto static linkdown
where 172.16.1.9 is a private address of a remote host on a network that is not (yet) link-local to a configured interface. The address was supplied verbatim to resolvip, not as a DNS name.
This becomes a significant issue as once network connectivity is established for the 172.16.1.0/nn net, that static route not only continues to be wrong, but is apparently taken over the less-specific, but correct routing for the subnet.