Does Darwin have network namespaces like the Linux kernel does? I get the impression that's an important component of this approach

Yes, good point, maybe that is the blocker.

No network namespaces, but the various Network Extension APIs might be able to do this, though it's difficult. RocketSim (I'm unaffiliated, just an example) recently added a simulator-specific network throttle (to replace the system-wide Network Link Conditioner Apple ships) using a content filter extension. Even though this is a system-wide API, it seems you can limit its impact to a single app. And it seemed to properly compose with Proxyman and Cloudflare's Warp VPN at the same time, so perhaps it could be a general solution.

Woah, this is super helpful info. Thanks. That sounds like a real possibility for a macOS port actually.