I could see extending the limitation of the loopback address to also include the private IP ranges. I assume in that case it is extremely unlikely that the server will have an https certificate, so that's another reason to keep the limitation on the private IP ranges rather than allowing arbitrary IP addresses.
One of the benefits of the client ID being a publicly accessible web page is that the authorization server can fetch the application name and icon from that page.
In the case of using a private IP address, the authorization server won't be able to fetch any information about the client, so the prompt will show just the IP.
The other option is to use https://www.home-assistant.io/
as the client ID, allowing just the redirect URL to be a private IP. This breaks the rule of the client ID and redirect URL hostnames matching, so servers may show a warning like the below, but at least the application info is visible.