Reported on the forum: https://forum.vyos.io/t/conntrack-is-enabled-by-default-on-1-4-rr/10586
Possibly missed during my firewall refactor, vyatta made use of FW_CONNTRACK and NAT_CONNTRACK chains to enable/disable conntrack depending if rules are found to match on state in firewall/nat modules.