What PF Doesn't Do
Application filtering

Two implementation options
Simple but simplistic
Trivial to defeat
False positives
Comprehensive but complex
Complexity == security risk
Too bloated for kernel
Extremely difficult to do correctly

Solution: Userland proxy
No kernel bloat
Security risk of complex code can be contained
privilege revocation/separation, chroot, etc.