I believe it is worth reviewing this thread as well:
https://discuss.linuxcontainers.org/t/network-isolation-by-project-on-single-server-incus-host/
It talks demonstrates how you can create a new bridge and quickly isolate traffic between containers on that bridge. Here is a quick example:
Block traffic between all incus bridges (note the wildcard ‘+’):
sudo iptables -A FORWARD -i incusbr+ -o incusbr+ -j REJECT
Allow for exceptions if needed:
sudo iptables -A FORWARD -i incusbr4 -o incusbr8 -j ACCEPT
Chuck