can localhost be spoofed?

No.

It is possible to send data as fake 127.0.0.1, but the reply will go "out" (stay inside actually) the loopback interface, and be 'lost'.

If there is a router on the way, it will send the packet through it's own loopback interface, and it will be lost there.

Yes. Surprisingly, it is possible to spoof a loopback source address. Obviously you won't get any replies, so your spoofed packet also needs to include an exploit. Also it will be stopped at a router, so you need to be on the same local network as the victim. The remote hole CVE-2014-9295 was exploitable in this way.

It turns out OS X and the Linux Kernel behave similarly in this case. Any IP packet arriving on an external interface and with the source IP 127.0.0.1 will be dropped immediately. But if we use IPv6 instead we can actually spoof ::1 and send control mode packets to the daemon (some Linux distributions have firewall rules in place that protect against this, e.g. Red Hat). Thus, if we are on the same local network, we can send spoofed packets to the link-local address of the target and bypass the IP restrictions.

http://googleprojectzero.blogspot.de/2015/01/finding-and-exploiting-ntpd.html

Loopback data usually never makes it to the network. It is intercepted and, well, looped back, before that happens. Since it never hits the actual network nothing on the network can intercept it.