I have been thinking more about this. You do not use a Default Deny approach, as
recommended in the PF Users Guide -- there is no leading
block all rule. There are no
block rules in your configuration at all.
Pursuant to
pf.conf(5) the default is to pass traffic when there is no matching rule, without creating state. Any
match rule should apply to all matching traffic, also without creating or altering state. The documentation does not state an explicit pass or block is required, as I assumed above.
Since best practice is to operate with a Default Deny approach, perhaps your particular use case has not been previously tested by or reported to the Project.