In and out are with respect to the (typically physical) interface on the machine with the pf rules. For a router acting as a firewall, a packet from a private host going to the Internet, will come in (to the router) on the private interface, and go out on the public interface, while return packets from the connection will come in on the public and out on the private. So “in” and “out” don’t know anything about what you consider internal or external, they only know about the direction a packet is going on a physical interface.