For me, the decisive factor is readability as a safety mmechanism. When you are debugging a network outage at 3 AM, PF's syntax (pass in on $ext_if...) reads almost like English sentences.

nftables is technically powerful and faster than legacy iptables, but the cognitive load required to parse a complex ruleset is still higher than PF. In an operational context, clarity prevents outages. That alone makes PF the superior choice for edge firewalls where human auditability is critical.