Yeah, it’ll forward anything that makes its way. Although it doesn’t mean you can just proxy anyway through it. If it’s on the public Internet for example, sure it would theoretically forward to 10.0.0.0/8 range, but you need a packet addressed to 10.0.0.0/8 to somehow make it to your box in the first place, which you can’t do as each hop makes an independent routing decision.
Neighbours on a cloud VPS are definitely the most likely to be able to exploit this, assuming you have a private IP on a shared network somehow and they let you talk to other VMs directly via their private IP. Making a virtual network just for the customer’s VMs is incredibly cheap, and most cloud providers either have you make a virtual network or they just come with a default one that’s still all yours, so this is less and less common unless you’re on some super old VPS host that did it the lazy way. But even if you’re literally on a friend’s Proxmox, it’s trivial to set up a dedicated virtual network. Even VirtualBox lets you easily make virtual networks.
I’d still set up the firewall though, even if it’s just a -A FORWARD -i eth2 -j DROP to explicitly disallow forwarding from the publicly exposed interface, if you really want to blindly trust and forward to internal VPNs and VMs and containers and whatnot you have going that you want to enable forwarding for. But it’s really not that hard to set up basic sanity rules like, don’t forward traffic coming from the public interface to anywhere.
Things like firewalld or ufw can help you with firewall stuff.