(fix the formatting of my comment, and make the description and summary accurate)
That isn't the correct threat model; RPF prevents us from forged source addresses. It doesn't protect from legitimate packets addressed to the backend network. To whit:
root@sctv-television-rx:~# ping 10.5.128.17
PING 10.5.128.17 (10.5.128.17) 56(84) bytes of data.
--- 10.5.128.17 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3009ms
root@aperture-science:~# tcpdump -i eth0 host sctv-television-rx.xvm
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:42:32.610776 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 1, length 64
17:42:33.620334 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 2, length 64
17:42:34.620373 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 3, length 64
17:42:35.620387 IP XVM-65.MIT.EDU > aperture-science-internal: ICMP echo request, id 46180, seq 4, length 64
Guests should never be able to generate traffic on the backend network.