I have tested with cooked, unparsed, encrypted data from a Universal Forwarder and filtering works.
The indexer input is however splunktcp-ssl and it works.
As per docs:
Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
This input broke event filtering.
Can I just go ahead and use splunktcp-ssl and assume all is good?
You should use splunktcp type connections for receiving data from Universal Forwarders. tcp-ssl is as is implied in the docs mostly for 3rd party products. There's no need to use it unless you know what you're doing and why.