> Wireguard is not a link layer (layer 2)

Yes but UI wise it presents itself as one, since it’s acts as an interface. The fact that it is not a true data link layer is the basis of my comment.

> AllowedIPs can be disabled if you want; just set it to 0.0.0.0/0.

Only one peer is allowed to use 0.0.0.0/0 for AllowedIPs

> Only one peer is allowed to use 0.0.0.0/0 for AllowedIPs

This is simply incorrect. You can have two peers with the same AllowedIP; you just have to put them on separate interfaces (wg0 and wg1 for example). This is for exactly the same reason that a routing table can only have one default entry. If you want two default entries, make two routing tables.

> Yes but UI wise it presents itself as one

No, it doesn't present itself as one.

> since it’s acts as an interface

So does /dev/net/tun, which is definitely not a layer 2 interface either.

> you just have to put them on separate interfaces

I don’t have to do this with normal data link layers. That’s the point of the complaint. Wireguard is not a true data link layer. Manually configuring multiple interfaces for something I can do with just one interface with a normal data link layer at runtime is an extra inconvenience.

> This is for exactly the same reason that a routing table can only have one default entry. If you want two default entries, make two routing tables.

Using nftables I can specify different routers to use based on arbitrarily complex packet rules. Using just one interface. I can’t do this with wireguard, it will only allow me to to route arbitrary packets to a single peer on an interface. This is an inconvenience.

This is less important although useful in some cases. The more important thing is outbound - since Wireguard is layer 3, in the routing table you can't specify a peer to send the packet to like you can with ethernet, and it has to choose one using AllowedIPs.

Why not just split the peers up over separate wg interfaces?