Vanilla WireGuard doesn't provide a way to run a peer in userspace that can proxy traffic between another peer and an endpoint such as a web server because you need to be privileged to do things like work with raw packets. However, https://github.com/WireGuard/wireguard-go is a userspace implementation of WireGuard and has recently incorporated Google's userspace networking stack. This project uses these two userspace tools to "fake" a privileged WireGuard peer that proxies TCP, UDP, and (a small subset of) ICMP. It was written as a pentesting/red team utility for my team but it can also serve as a general makeshift VPN when you don't have privileges on a box you want to proxy through.
Kernel networking interfaces already work pretty well in containers (using network namespaces). You can eg run openvpn or some fancier SDN inside a container to tunnel its traffic with the default non-privileged permission set that
If you are running an old kernel from before Wireguard was merged to the mainline kernel, or want the extra safery from a memory safe language wireguard implementation this can be useful.
Edit: typo