That RFC actually says that localhost is worse than 127.0.0.1. This is because it’s still a DNS name that can be resolved, and incorrectly configured machines (or maliciously configured machines) can have that mapped to anything. See https://tools.ietf.org/html/rfc8252#section-8.3