if the response is a 200 OK for any requested url then that url is "published". i've seen plenty of unwanted duplicate content in the index under IP addresses. "security through obscurity" is not the solution here.
Only if the bots know the test location, I don't see how, unless you explicitly publish it or perhaps give some traces to spiders about them. But that's up to how each one of us does testing. I find it easier than digging out IP ranges.
Test environments aren't continuously active. They can also be as secure as the main site so it's not matter of security.