Maybe this will help. From my experience and understanding of how the NSS framework is designed, it basically depends on the Linux notification framework. The NSS drivers, e.g. ecm, registers itself as a notifier recipients for events, like netfilter conntrack and netdev registration, up, down etc.
When NSS take control of the GMAC control and data plane, it then snoops on all in/out packets. Those that it decides to handle it’ll do it and periodically notify the network network stack via stats syncs.
So ecm basically handles L4 traffic. qca-nss-clients handles higher and lower levels, like IPSec, OpenVPN, multicast/broadcast, etc.
I may be off base but I think this is how the NSS is designed at a high level.