Why does "docker swarm service create" without network does not use docker_gwbridge as expected?

Question

Why does:

docker service create --name alp alpine apk update

Use docker0 interface instead docker_gwbridge as described in the swarm docs?

Is this known / expected / broken?

Long version

I am hardening a docker swarm and stumbled upon an oddity: If I understand network concept of swarm correctly (I've marked it bold), then a service without a network should still be using docker_gwbridge when accessing the network to get to e.g. internet.

The docker_gwbridge is a bridge network that connects the overlay networks (including the ingress network) to an individual Docker daemon's physical network. By default, each container a service is running is connected to its local Docker daemon host's docker_gwbridge network.

I am creating this simple service sudo docker service create --name alp alpine apk update and am looking at nft logs (I know docker love iptables).

What I am seeing is, that this service is using docker0 instead of docker_gwbridge.

Here is an output:

Dec 20 14:52:44 manager1 kernel: NFT-FORWARD: IN=docker0 OUT=eth0 PHYSIN=veth3689ddb MAC=02:42:e9:4c:8b:bc:02:42:ac:11:00:04:08:00 SRC=172.17.0.4 DST=172.22.240.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=27536 DF PROTO=UDP SPT=50844 DPT=53 LEN=48
Dec 20 14:52:44 manager1 kernel: NFT-FORWARD: IN=docker0 OUT=eth0 PHYSIN=veth3689ddb MAC=02:42:e9:4c:8b:bc:02:42:ac:11:00:04:08:00 SRC=172.17.0.4 DST=172.22.240.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=27537 DF PROTO=UDP SPT=50844 DPT=53 LEN=48
Dec 20 14:52:46 manager1 kernel: NFT-FORWARD: IN=docker0 OUT=eth0 PHYSIN=veth3689ddb MAC=02:42:e9:4c:8b:bc:02:42:ac:11:00:04:08:00 SRC=172.17.0.4 DST=172.22.240.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=28100 DF PROTO=UDP SPT=50844 DPT=53 LEN=48
Dec 20 14:52:46 manager1 kernel: NFT-FORWARD: IN=docker0 OUT=eth0 PHYSIN=veth3689ddb MAC=02:42:e9:4c:8b:bc:02:42:ac:11:00:04:08:00 SRC=172.17.0.4 DST=172.22.240.1 LEN=68 TOS=0x00 PREC=0x00 TTL=63 ID=28101 DF PROTO=UDP SPT=50844 DPT=53 LEN=48 

When I create the service with --network whatever and whatever is an overlay, then I see traffic as described going through docker_gwbridge.

Why is this happening? If I get the docs correctly, this should not happen and I would love to understand why (especially from a security POV)