> Nowadays, you can't even have multiple routing tables on the latter, the firewall code was probably last updated in Snow Leopard

Apple uses OpenBSD's Packet Filter [1]; I doubt multiple routing tables are a problem. Back in the Snow Leopard days, it was FreeBSD's IPFW, which is also no slouch.

Whatever a firewall can do, PF can do it.

You can also get a nice GUI for PF [2].

[1]: https://www.openbsd.org/faq/pf/index.html

[2]: https://www.murusfirewall.com/murus/