So I went over the .service files in /etc/systemd/system as well as the scripts the executed and stress-tested my networking as well as looked it over with tshark at multiple points in the chain. I posted my general DOs and DONTs in this link
I hove it helps anyone in need in the future, I wrote down petential leaks and what is the strongest defence against them to this point by my knowledge.TL;DR related to this post, to my supprise you cannot execute .nft files directly inside qubes-firewall-user-script, but you do not have to add a sleep timer either just like I had to do a few years ago, all that is needed is to subshell $(/rw/config/my-firewall.nft)
If anyone needs any more explanations drop a comment here or in the linked post