The non-encrypted part of an uplink reveals a device’s DevAddr, but that is not unique.
So, filtering needs the gateway to know the secret NwkSKey for all whitelisted devices, to be able to validate the MIC to uniquely identify the device. (In LoRaWAN 1.0.x it would even need to know, or brute force, the frame counter’s 16 most significant bits, which are not in the message either. I don’t know for 1.1.) For OTAA, the NwkSKey changes for each join. (OTAA Join Requests could probably be filtered using the non-encrypted AppEUI.)
Yes, TTN does a lot of work for us! 