Here https://github.com/openwrt/firewall4/blob/b6e5157527d361f99ad52eaa6da273cb0f2dfd59/root/usr/share/ucode/fw4.uc#L426 is the function making together device list.
SFO: resolve devices mentioned in the networks mentioned in firewall configuration
HFO: resolve further and keep only physical devices
Examples on the edges it fails:
SFO
wan.7 iw with vlan with absent vlan offloads would be better picking packets on wan to save one memory copy to align packet
Or on the other side if there is card offload it is safe either way.
HFO
it could easily run SFO for docker0 but it does not.
IMO it is totally safe to go with SFO but there is a room for improvement