I think it's generally recommended to run iQuery over the same route clients would take. It's encrypted traffic so you shouldn't need to worry about someone snooping the traffic. And you could lock down the ports on the firewall to only other GTM/LTMs.
Our LTM's have been specified within the GTM's using their private LAN addresses, each GTM has a route to the LTM's through the LAN.
The problem we have is when one of the internet links go do down the GTM's can still see the LTM's through the LAN so still responds to dns queries as iquery is still functioning as normal. My plan is to specify each LTM on the GTM using a public ip address which I will NAT on the firewall to its private IP. Iquery for GTM's and LTM's at different data centres will run over the internet so it takes the same route as a client would take therefore if any device or link fails across that route the GTM will mark the virtual server associated with the failed device/link as down.