lib7 ftp access works fine, but I'm wondering whether the passive rule is too permissive.
Possibly, NetBSD's ftpd allows defining a restricted portrange to listen onto for ftp-data; see ftpd.conf(5). On my /etc/ftpd.conf I have:
# Set the range of port number which will be used for passive data transfer
portrange all 65525 65535
And subsequently on /etc/npf.conf
# Allow FTP PSV on safer ports
pass stateful in final proto tcp to $if port 65525-65535