See also https://lobste.rs/s/udvcbq/perils_real_client_ip
Yes! It’s funny, part of the impetus for writing my post was that there didn’t seem to be anything I could point people to that discussed these issues. I think Adam was in the same boat, and then we ended up posting on the same day. :-) I actually highly recommend his post as well, because despite the overlap his is more focused on rate-limiting, and mine is more focused on background on how to think about XFF and a variety of use-cases. I have it linked from the bottom of my post.
He also has a good post about the special challenges of IPv6 in rate-limiting, which apparently (as with XFF itself) almost nobody is handling well: https://adam-p.ca/blog/2022/02/ipv6-rate-limiting/