This is on my todo list after wrestling docker almost in to compliance with nftables. Even so, I still have some issue with ports forwarded to docker services not NATting correctly and instead show up with a source IP of the docker bridge. Switching to nftables exclusively (docker is using iptables-nft) and preventing docker from doing this should resolve my issues.
I can't think of another application on any of my systems that muck with firewall rules behind the scenes like this.