If the device has *.company.com registered on the Network Adapter or any relevant fqdn defined, this is a valid condition for the device to be recognized as on-prem. If the device also is connected to the Company network and the Sensor can ping one or more of the defined IP Addresses in Reachable Hosts, then it is also a condition that defines the device as on-prem. One or both of the conditions have to be met for the device to be considered on-prem. If neither condition is met, the machine is off-prem.
The below statement in Reachable Hosts is a broad statement based on RFC 1918 as these IP ranges were originally defined as reserved IP Addresses. The concern here is that if you have a home user that has 172.X.X.X defined on their home network and the IP Address matches what is defined in Reachable Hosts as a reachable host, then the Sensor would be incorrectly reporting as on-prem.
"A reachable host should be the IP address or FQDN for a host that can only be reached when the device is on-prem. A good example would be the name of your internal DNS server. Private IP addresses (10.x.x.x, 172.x.x.x, etc.) are not allowed."
This can potentially be an issue with any IP range. If a home network or remote network device has a matching condition in Reachable Hosts, there is the potential for this condition to be met and the Sensor to report that it is on-prem when it is really off-prem.