TIL that ip rule supports a uidrange condition that allows to route traffic for specific users. This is useful in combination with Tailscale exit nodes or other VPNs to allow setting a different default route per-service (you do run your services as separate UIDs, right?)