Docker still ships depending on legacy iptables which just makes a mess of the firewall situation, with both nftables and iptables present on current builds.
Would podman do a better job of running containers under openwrt without messing up the firewall stack?
Best option is precise firewall rules in place of docker-addon.
It turns out that podman uses netavark to configure its network namespace and firewall rules. netavark can be configured to use nftables now, and will default to nftables in the near future.
You could use LXC directly.