Good observation- I haven’t tested point to point tunnels.
For DMVPN on VyOS 1.4, a quick fix in the template file /usr/share/vyos/templates/ipsec/swanctl/profile.j2 will stop all but one or two GRE packets
I think the full fix should be as simple as having a firewall chain / table that can catch the outbound traffic.
Hopefully someone with some actual nftables knowledge can weigh in here - this is outside my area.