Yes, if you have a star network like @Rosika , the router assigns those addresses.
You can have a local network , without a router, and there you assign addresses in that range by hand . I do that because I have ethernet printers.
There are two other address ranges that do not transmit.
One is 10.0.x.x, I cant remember the other.
VM’s use these ranges too for virtual networks. Virt-manager uses the 192.168 range, Gnome-boxes uses the
10.0 range.
Yes, but that is not the whole story.
If your public IP address receives a packet, NAT translates its
destination into an internal address… but only if that packet is from a site replying to a request from your computer. All other packets are rejected… in theory… but as you say
clever people may get around NAT.
Some services can operate across NAT… for example NFS
can operate across a NAT connection. So there may be ways to breach it?
The ranges are:
10.0.0.0/8
172.16.0.0/12
192.168.x.0/24
Also, I recently learned (the hard way) of another range set aside for Carrier Grade NAT (CGN):
100.64.0.0/10
My new ISP seems to use that by default. My router runs NAT for my internal network in a 192.168.x.x range and then my ISP runs NAT again. I’ve always heard double NAT is bad, but it should sure insulate me from hacks.
The “public” IP on my router is in the 100.64.0.0/10 range, but if I check my public IP on https://ifconfig.co it comes back as a different IP address, a “real” public IP address.
The bad news is, I can’t expose an internal service using a rule on my router. I may be able to get a public IP from my ISP at an extra charge. I don’t think I really need to though.
Using something like Cloudflare I could expose a service by using them as a tunnel.
Some ISP’s do NAT their clients. My ISP does it tricky, assigns IP for newcoming clients from a non-NATed pool. Then later they start to add clients to the NATed pool.
Whoever complains, will be held in the the non-NATed pool. Others are moved behind NAT. I know this from my case, when I had to talk to an operator at my ISP, when they just NATed me. I asked for not to be NATed, and got it for free,
I also have a VPS, and on that I’m currently experimenting with reverse ssh tunnel.
That could punch a hole even into a multiple NAT isolation 
From a computer behind NAT, I open a reverse tunnel to my VPS:
ssh -N -T -R my.vps.tld:24576:localhost:22 sshuser@my.vps.tld -p <my_vps_ssh_port>
That opens port 24576 on my VPS, where it listens for SSH connection, which is then tunneled into the computer behind the NAT.
So at any remote computer seemingly connect to the VPS, but using a username/password valid on the computer behind the NAT:
ssh <username_at_computer_behind_nat>@my.vps.tld -p 24576
Seems to work so far…
I have tried a reverse ssh from Gnome-boxes VM into the host. That certainly works across NAT… I can ssh or sftp from the host into the VM., and I think sshfs may even work
although I did not test that.
SSHFS!
Great idea to try it, thanks! 
Edit:
Yes, it works 
Tried…
That is great to know, thanks.
NFS will work over NAT too, because it uses RPC.