systemd currently uses iptables (via libiptc):

src/nspawn/nspawn.c:#if ! HAVE_LIBIPTC
src/test/meson.build:         'HAVE_LIBIPTC'],
src/shared/firewall-util.h:#if HAVE_LIBIPTC
src/shared/meson.build:if conf.get('HAVE_LIBIPTC') == 1
src/core/kmod-setup.c:#if HAVE_LIBIPTC
meson.build:conf.set10('HAVE_LIBIPTC', have)

libiptc was never considered an official API but more of an internal implementation detail and there is a push to get everything moved to nftables.
E.g. the latest Debian buster release has nftables as default:
https://www.debian.org/releases/stable/amd64/release-notes/ch-whats-new.en.html#nftables

Mixing iptables with nftables can be problematic according to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934584#15

It seems worthwile getting systemd updated to use nftables instead of iptables.