Sorry for being a little extra pedantic, but this needs to be clear:
A "user" for PF is a specific filtering value, used on packets which originate or terminate on the system where PF is running. From pf.conf(5):
Code:
user user
This rule only applies to packets of sockets owned by the
specified user. For outgoing connections initiated from the
firewall, this is the user that opened the connection. For
incoming connections to the firewall itself, this is the user
that listens on the destination port.
Otherwise, PF merely manages network traffic, as rules define, without consideration of "users."