Yep, your #1 and #2 work. network is unique per organization. If you omit network you get a default network that’s still isolated from the others (it’s almost the same as specifying network: <default>).
There’s not (yet) a built in way to put an app in more than one network. Your userland go option might be your best bet, but you can also just create a normal Wireguard interface in your VM as a “peer” to any network you’d need. It’s baked into the kernel. We shipped a little Wireguard token API to help with this kind of setup: WireGuard Token API