After a way too long time I figured out I can encrypt using a specific subkey using SUBKEYID!.
I have a setup with multiple encryption subkeys (for other devices) according to this guide:
sec# ed25519/0xFFD59E5D2343CE94 2023-02-19 [SC] [expires: 2025-02-18] AD23C5B72147C2879D676BE2FFD59E5D2343CE94 uid [ultimate] Manu [tennox] (Main) <manu@XXX.de> ssb cv25519/0x37F4E8B81DE452FE 2023-02-19 [E] [expires: 2024-02-19] ssb ed25519/0x6B72597BC8B809E0 2023-02-19 [S] [expires: 2024-02-19] ssb# ed25519/0x2F004F9849B91FB0 2023-02-19 [S] [expires: 2023-11-16] ssb# cv25519/0x2387EB82F1A178FE 2023-02-19 [E] [expires: 2023-11-16] ssb# ed25519/0x2116F05E3E278DFC 2023-02-19 [A] [expires: 2023-11-16]
But gpg selects the wrong key by default (even though it's the second in this list...? maybe it's the first when ordered by key id?).
I found numerous stackexchange posts with no config solution, here are two:
The ! selection is a decent workaround, but there are many tools that don't deal [well] with subkeys, like gopass, and in any case it would be great to be able configure which subkey gpg uses by default for a certain primary key.