Oh I see what you mean.
This is true for any iptables firewall approach really. The reason is that docker sets up NAT rules, so the FORWARDING chain is where it happens.
This stackoverflow discusses that in a little bit more depth than I can: http://stackoverflow.com/questions/30769829/docker-ignores-iptable-rules-when-using-p-portport
As for how to implement that type of solution with ufw, I couldn’t say for sure, as my ufw experience is fairly limited.
I imagine you could tell ufw to set up some rules that happen on the FORWARD chain based on source ips and whatnot.