Just to add a bit to this.
PageSpeed Service serves webpages on my behalf to my visitors by retrieving original content from my origin server.
As a result, all requests to the origin server will be from Google's IP addresses.
To get the IP address of the user on the origin server, Google recommends we use the value stored in the X-Forwarded-For HTTP header.
The configuration of this is not really your problem at all and is something I am looking into as it has additional negative impact on data collection for all analytics tracking, but what I did notice is that I became locked out of my own account with PageSpeed active because the request was coming from a "blacklisted" IP address.
It will be blacklisted because 100's or even 1000's of hackers will be coming via the Google servers.
I wonder how many false positives your stats are showing because of legitimate visitors being blocked like this?
Additionally, the PageSpeed service can be plugged into the W3 Total Cache dashboard, and millions of WP sites use W3TC and PageSpeed.