Bridge ACLs between containers impossible?

I’m using a single host and OVN is not an option, neither is manually editing firewall rules - it’s nice to have incus take care of that part after changing the configuration. In order to get ACLs to work between containers, my current approach is to assign a separate bridge / network to each container. This works quite well, but is rather cumbersome when it comes to setting up new containers.

So I’d like to know if the below paragraph from the documentation is really a hard limitation or perhaps a design choice. If the latter, would it be possible to make this configurable so that containers in the same bridge network can be isolated from one another? Is there maybe a host / kernel setting to this effect?

“Unlike OVN ACLs, bridge ACLs are applied only on the boundary between the bridge and the Incus host. This means they can only be used to apply network policies for traffic going to or from external networks. They cannot be used for to create intra-bridge firewalls, thus firewalls that control traffic between instances connected to the same bridge.”