Thinking about this, yes, IP-allow lists certainly aren’t perfect (as a determined attacker could go via fly, in theory, as discussed).
But the big appeal of them is they remove that one more thing to deal with, at my end (that inevitably decides to stop working at 2am). Whether its an additional vm gateway through which all requests pass, a software process, proxy, etc. It’s something which then needs monitoring and redundancy. As without that thing working, no database access. Big problem.
So personally I’d +1 for IP lists.
(And also given that a certain rival provides the option of assigning an external IP to an app to solve this problem. And I don’t want to give them any more money )