Throttle override currently does not offer a way to blacklist a set of ip addresses from being used in an override rule. Wikimedia would need this, especially for private ranges. While it's reasonable to expect developers (who are needed for the current process of sending a patch to gerrit, deploying it in swat) to just notice private ranges when seeing them, we cannot expect stewards to know that they should not set a throttle exemption for 172.19.12.18 or fe80::3301:e425:27ad:370f.
We could hardcode the private addresses, but I'd rather use a configurable blacklist which will have less impact for external users of this extension and allows us to easily adopt this in case we want to block some ip address for a different reason in the future.