If there were to be a script that took over the role of enabling ipfilter
in netbsd at bootup, which file(s) should it use and how?

Should it, for example, modify /etc/rc.conf?

If it were to do this, should it create an /etc/rc.conf.lock to ensure
that only one program is updating that file or not bother?

Or should it modify files in /etc/rc.conf.d/?
Should it use .lock on files to serialise access ?
And how do settings in files there gel with /etc/rc.d?
Will it be intuitive for people to glance at rc.conf, see
ipfilter is enabled, but know that it is really disabled
because of a setting in /etc/rc.conf.d/ipfilter ?

Darren