I think you may be right about ICMP packets but why would they inherit the marks when the ICMP DST is to the router itself which is the first hop in the traceroutes? And is there a work-around for this?
I’ll look into the experiment though.
Edit: In the logs, I only see ICMP originating from the public IPs destined towards public IPs as expected, no LAN IPs are in it as per the exclusions. So I’m really confused about the packet loss now. Of course if I remove !local and !addresslist then I can see LAN IPs.