You can understand that whoever updates to this latest release-202312 automatically have all their users exposed in their LAN and you can assume that most (if not all) people use a proxy, they automatically get all their users exposed to the outside world.
So in your view almost everyone is using a reverse proxy, and the majority of those have it configured in a way that does not pass the origin ip through to Home Assistant correctly, likely ignoring the inclusion of the X-Forwarded-For header and possibly other headers. They connect from outside their network, and they appear to HA to be connecting from a device inside their network.
Ignoring the local login page, how could that best be addressed?
Most of users haven’t ever heard about reverse proxy and the X-Forwarded-For header and possibly other headers. They surf WWW and repeat as shown. As for me, I’m not a super-puper IT-specialist, so I found several ways to expose my HA to WWW. The most suitable for me is SSH-tunnel between HA and VPS (I suppose it works as reverse proxy). The Nginx on VPS forwards requests on VPS to necessary port on HA. And when I log in from outside my home network my HA detects it as local login. So default security settings for most users must be the Highest Security!
I think you underestimate most users. Yes, there are users who only use Home Assistant on private network, and ofcourse a lot of users use Home Assistant Cloud.
Then there are the tech savvy users. They read the changelog, can Identify the problem and (if possible) implement a fix.
Everything in between are users that copy paste every possible solution on Stack Overflow untill it works for them. I think this is the vast majority.