> Assuming people took the sensible leap that private resources equal private IP address, they are not going to then go out of their way to configure their router to route their private resources.

That works until you have a legitimate need to expose a few of those private IP addresses publicly (which is bound to happen sooner or later). It's a bad idea to rely on the same thing to carry two subtly different meanings - especially when one of them is security-critical.

> As far as “route everything” how is it going to know how to route from a public IP address to your ES server unless you specifically tell it?

The router knows how to reach the ES server (it has to be able to send packets to that server if it's providing that server's connection to the internet). So if someone on the outside does `route add <ES server> via <router>` (or, these days, slightly more sophisticated alternatives) then they have access to the ES server same as if it was just on the internet. A few years back this was a big source of vulnerabilities - organisations assumed that their servers were safe because they didn't have public addresses, but nothing was actually stopping people sending packets to those servers if they figured out (or guessed) what the addresses were.