Any header the user can set is always suspect.
We 'use' it when the ALB sets it for real-client-ip in nginx (while understanding that if something looks weird we should look at the full header). However a better solution is if your edge service sets (and protects, that's important) a header with the client IP to use that.
Cloudflare does this. Fastly does this as well, and I know Fastly protects it because I tested this specifically.
Cloudflare actually can set it in two different ways, however one of the ways is an upsell (only because it names it Real-Client-Ip which is apparently something set by other products, including Fastly). I was very amused when I got the Cloudflare rep to admit that.
source: author of django-forwarded middleware, finds client IP from XFF header.