Deploy environments may have more than one proxy-like device in the HTTP(s) delivery path.
For example, Load Balancer forwards to nginx forwards to an aiohttp service.

It is also possible the client is connecting via a proxy, which adds it's own X-Forwarded-For header.

IFF we assume deployment is either always without a proxy (development) or behind a proxy (production), then it should be safe to check the last proxy on the list against the trusted list.

If the deployed environment is running more than one proxy, it would be possible to check proxies to some depth. Checking all the proxies is difficult since the first proxy on the list might be from the client's environment.

GitMate.io thinks possibly related issues are #18 ((X-)Forwarded not compatible with AF_INET6), and #52 (XForwardedStrict fails when NOT behind a proxy).

Closing this issue as I am mistaken in how the module was working.
I now realize that the reason for the list of sets of IP addresses is to address this precise need (except for the client-side proxy).