It's confusing that packets that should come from eth3 (specified with curl --interface eth3 for example) can actually go out eth4, because it means curl can't be used to update the dynamic IP address of a secondary interface without finding the IP some other way, then updating the address with the dynamic DNS service by using that IP exlicitly.
In the case of local traffic, I can't add PBR rules to route outgoing traffic because they must take place on the in of an interface.
In my case, my secondary interface is failover-only, so why should lb-local enable cause ping packets to be load balanced? I would have thought it would use the primary interface until it fails over, then switch to the secondary interface. Same for DNS requests originating from the DNS forwarder. Were there other red entries in the table that didn't make sense?