The syntax being referred to includes some obscure, outdated addressing formats (IPv4 addresses represented as two or three number groups in dotted notation rather than the normal 4).

However, "DNS-based reference identity [RFC9525]" seems to explicitly disallow IP-based certificates by requiring a DNS name. I can only interpret the sentence I quoted as written to say "make sure you never ever accidentally validate an IP address".

I don't think your interpretation is right. If it were,

> Clients that incorporate DNS names and IP addresses into the same syntax

They wouldn't mention the IP addresses at all. Also, notice the word "and".