From my understanding of how this works that's mostly a consequence of the Tor browser trying to achieve network privacy and anonymity at the wrong layer.
The right way would be to route all the requests through Tor, not just those from the engine of the browser.
I used to be of this opinion, but [1] changed my mind.
The problem is that there's a huge potential to deanonymize the user at an exit node because of all sorts of traffic other than web browsing. Do all of your chat programs encrypt everything? How about your email client? What about every daemon on your system that accesses the Internet?
At the very least, all of these can be used to fingerprint you.
WebRTC is a great example of why the user-agent turns out to be the right level to think about anonymity over Tor.
I agree that Tor is a special case, but who uses Tor without Tor Button, Tor Browser, or something similar? It's easy to disable WebRTC in those instances.
Regarding internal VPN IPs, I don't understand how this would help an attacker. If someone has broken into a VPN network and is in a position where they could make use of that data, then it's game over anyway. Otherwise, what do you want with an internal IP, besides fingerprinting?
By the way, fingerprinting no doubt is an issue, along with a dozen or so other JavaScript APIs that leak data. If you don't want to be fingerprinted, use something like NoScript. Advertisers can already uniquely identify you based on various other data leaked by JS, don't know why WebRTC has been singled out for this reason.
Because IP addresses feel private. Even though you send one with every packet. Even though the extra one sent by webrtc is the one behind your NAT, and probably just 192.168.[0,1].
They can actually be private. What if you set up a proxy or a VPN with the express purpose of masking your real IP address, and then WebRTC barfs it out on demand anyway?
Again, WebRTC does not "barf" out your real IP in a VPN situation -- it barfs out the VPN's internal IP, which is meaningless to anyone except for the VPN's operator (and they have that data anyway).
Your actual, ISP-assigned IP remains hidden to any site you visit.
I thought it would provide every IP address held by the system, which would include both the internal VPN IP address and your actual ISP-provided IP address.
