Private addresses offer no security benefit whatsoever. If you have no firewall, nothing at all prevents me from doing `ip route add 10.0.0.0/8 your.routers.ip.here`
IP is silly and refers to next hops by IP address, which fundamentally makes very little sense, because IP routing actually works by sending packets toward either whatever is on the other end of a point-to-point link irrespective of its address or toward a certain destination on a certain link, where that destination is addressed by a link-specific address (generally a MAC address). In common usage, the sole purposes of a next hop IP address are to identify the link (implicitly, while configuring the route) and to tell the router what IP address to ask for via ARP / neighbor discovery so it can actually route there.
With that in mind you are (on Linux, anyway) very much prevented from this particular mucking around:
$ sudo ip route add 1.2.3.4/32 via 5.6.7.8
Error: Nexthop has invalid gateway.
Because it's not actually possible to route a packet via a host that isn't locally reachable.
You can try to send packets using various encapsulation schemes to try to convince an intermediate router to decapsulate the packet and forward it to an attacker-controlled address, and someone manages to pull this off every now and then. Actually getting the evil packets in question to traverse the public Internet can be challenging but is not necessarily impossible. So the actual point stands -- relying on a private IPv4 address range to be unreachable by the general public merely by virtue of being private and without using an ACL is a mistake.