I added another test.
I added DNAT to the inbound policy:
From Untrust Any to Trust 2.2.2.2 DNAT egress interface
It works, but of course, the traffic now has the wrong source address.
Yes, the other routers use the bgroup0 interface as their default.