To further summarize ongoing conversations: It appears that there many be another alternative, midway between the two extremes of stabilization on one hand and keeping this bug report open on the other. The idea is to ship WireGuard in stable-backports and in unstable, but not let this migrate to testing. That way stable users have access to it in a rolling manner, and we never need to worry about stale snapshots being distributed to users, and we also don't need to compromise on the fact that snapshots are merely snapshots, not releases. There is some precedent for such a thing -- the grsecurity patchset formerly did this.
Of the various options, this one seems quite sensible to me for the time being.
