Private address ranges are a human convention and there have been instances in the past of upstream routers passing them on.[1] Relying on other people to do your filtering for you is a bad idea. I'm going to put the rules in my own router, whether those addresses are (potentially) globally routable or are designated as private.
The use of small private pools has even helped attackers who would inject browser scripts probing the well-known prefixes.[2]