Are you sure? I think these dns names are deterministic, they never change, for example www.10.0.0.1.xip.io will always resolve to 10.0.0.1 - and I don't think there is a mode where a name could resolve to different ipv4 addresses at different times.

EDIT: I experimentally confirmed that opendns and google dns, which claim to block dns rebinding attacks, do not block xip.io or subdomains thereof

It depends on the implementation of the DNS rebinding protection.

I have just checked, and my pfSense firewall (which claims to block DNS rebinding) blocks local addresses from resolving through xip.io (tested with loopback and several RFC1918. All blocked, regardless of whether they match the subnet in use). External addresses (e.g. 1.1.1.1.xip.io) resolve fine.

I see this too, with Unbound. Using Cloudflare over TLS as my upstream resolver.

It was the first thing that came to my mind when I read about xip.io!

It should work for external IP addresses regardless.