Not sure what you're quoting, but you are misinterpreting it. The IN / OUT rulesets absolutely do not impact traffic that originated from or is destined to the router itself.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
set firewall name WAN_OUT default-action accept
set firewall name WAN_OUT rule 300 action drop
set firewall name WAN_OUT rule 300 description 'block 1.1.1.1'
set firewall name WAN_OUT rule 300 destination address 1.1.1.1
set firewall name WAN_OUT rule 300 protocol all
set interfaces ethernet eth0 firewall out name WAN_OUT
Devices behind that ER can no longer communicate with 1.1.1.1, but the ER itself can.
The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.
Just now I verified with the following partial ruleset on a EdgeRouter I have in production:
Devices behind that ER can no longer communicate with 1.1.1.1, but the ER itself can.The only way to filter traffic from the router would be to drop the standard "Allow Established / Related" rule from WAN_LOCAL, retain the default drop action, and make specific rules allow whatever the router should be permitted to communicate with. And that would still allow packets to escape the router -- for TCP the communications channel is effectively dead since the handshake can never complete, but it could blast out all the UDP it wants.