I don't know if you can make any blanket statements about how legitimate it is, but based on my minimal understanding, it should not in and of itself pose any risks unless your site/application does anything special with it (e.g. bypass basic auth if it's from Google because you want it to crawl your site or something?). Ultimately I guess it's like any other VPN sort of thing -- if you don't want users to hide their IP, then you could disallow it, but risk losing traffic you'd actually like to have?

It's not even risks, per se; it's the PHB complaining about skewing of statistics. I'm not even sure he's got a valid point.

I can tag it as bot traffic and it won't show in his reports, or our "top products this week" pages. But I think it's probably legit. My research shows 4 possible sources, in order from least likely to most:

a. Google Employees looking at our site.
b. "Google Safe-Image" caching ... which does seem kind of like a bot-ish thing.
c. Google Preview (screen captures of our site).
d. "Data-Saver", a Chrome OS option that fetches resources via Google Proxies. This is especially true on Nexus phones, but may also be on Chromebooks, Android phones in general, etc.

He sees things with the same number of hits and multiples from the same IP address and gets all spooky on us.