PF can determine the user for a packet that originates or terminates on the system where PF is running. From pf.conf(5):
Code:
user user
This rule only applies to packets of sockets owned by the
specified user. For outgoing connections initiated from the
firewall, this is the user that opened the connection. For
incoming connections to the firewall itself, this is the user
that listens on the destination port.