This is normal to return a terse message to a remote user via API. The remote user may be hostile, actively trying to gather information useful for breaking in.

But the local user who operates pf is already trusted, normally it would be root.

In either case, no error should be silently swallowed. Details should be logged in a secure way, else troubleshooting becomes orders of magnitude harder.