The difference is what implicit effects you will get and may not have explicitly considered.
E.g. if you have an allow from all to all rule at the end you may need to explcitly block access to the pfsense UI and SSH ports in some of your networks. (see the following thread: Pfsense login accessed from public IP internally)
I would encourage you to never do that and to explicitly allow things you are OK with to happen. That is a more failsafe approach.
also instead of “! private” you can have more aliases where you have one for each network enumerating which other internal networks it may access, and then allow “iot-destinations” that at the end of the rule list.
The beauty of this is that you will see all traffic blocked by the default deny rule in the logs. This allows you to identify unwanted traffic, or to see which additional rules you would need to add to allow wanted traffic that is blocked by accident.
the end of a filter list would be something like
allow IPv4 * * iot-destinations * * (change alias content accordingly, if no other networks accessible, it should be empty, do not include the own network address)
allow IPv4 * * !ALL_RFC1918 * * (only if this VLAN has Internet access)