For posterity and to perhaps help with the docs, I found that these finer-grained rules seem to work well when ufw is enabled, iptables-nft/ip6tables-nft are in use and when ipv4.nat: "true" (seen with lxc network show lxdbr0):
# for a guest to get an ip from the lxd host
$ sudo ufw allow in on lxdbr0 to any port 67 proto udp comment 'lxd: dhcp'
# for a guest to resolve hostnames from the lxd host
$ sudo ufw allow in on lxdbr0 to any port 53 comment 'lxd: dns/resolved'
# for a guest to have access to anything outbound (10.210.254.0/24
# found with: lxc network list | grep lxdbr0)
$ sudo ufw route allow in on lxdbr0 from 10.210.254.0/24 comment 'lxd: outbound'
The first two rules limit access from the guests to the host to only dhcp and dns while the 3rd rule allows access from the guests to the world (the last rule mimics the default behavior of ufw for the host, which is to allow all outbound (from ipv4 hosts; adjust if using ipv6)). Adjust as necessary for your environment.
Note, the above doesn’t have have a fine-grained equivalent of sudo ufw route allow out on lxdbr0. If you are wanting to allow traffic from outside the host to your guests, then additional rules are in order (eg, sudo ufw route allow out on lxdbr0 to 10.210.254.123 port 443 proto tcp comment "lxd: inbound to https server").