The resulting firewall configuration is indeed necessary.
Wireguard clients must be allowed to access the internet, thus the Masquerading option, basically meaning one to many network address translation (NAT).
It also needs to accept traffic generated by Wireguard (wg0 or similar) interface. This results in Input/Output fields set as Allow.
Lastly, there has to be traffic forwarding from LAN to Wireguard interfaces and vice versa. Due to that, there is Inter-zone forwarding added between these zones.