I’m not sure if this will help, but have you looked into capabilities at all? You can define this at a binary level (using the setcap command), or can define it within a systemd service unit as an ambient capability. (Actually, it seems as if the AmbientCapabilities directive within systemd is not currently supported on Sailfish OS, which is at version 3.4.0.24 as of this writing.)
For instance, I utilized capabilities to get Nebula working on Sailfish as an unprivileged user.
In your case, I would look into the CAP_NET_RAW capability, possibly coupled with the CAP_NET_ADMIN capability. In my case, I needed those two, plus my user needed to be in the vpn group. In order to access /dev/net/tun at all, I needed to be in the vpn group. In order to do anything with the tun device, I needed CAP_NET_ADMIN. In order to set up a UDP listener (even on a high-numbered port), I needed CAP_NET_RAW.
I would start off trying commands like the following as root to see if you can get it working (obviously replace my fake paths, arguments (if needed), and username below)…
setcap cap_net_admin,cap_net_raw+ep /path/to/your/binary
su -s /bin/bash -c '/path/to/your/binary arg1 arg2' unprivilegeduser
If that works, I would try removing cap_net_admin and see if it still works. You may very well have to keep your user in the inet group as well, but you can experiment with and without that.
In the end, in my case, I ended up using systemd to run things, but since ambient capabilities are not supported within systemd on Sailfish OS (as of the time of this post, anyway), I set the capabilities manually on the binary itself like I illustrated above.