Thanks for the info, but I think your second statement is incorrect. According to this page:
When you configure an access control list (ACL) and a packet fails the Unicast RPF check, the Unicast RPF checks the ACL to see if the packet should be dropped (by using a deny statement in the ACL) or forwarded (by using a permit statement in the ACL). Regardless of whether the packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
So it seems that permitting traffic through an ACL doesn’t bypass the URPF check, but does in effect override it.