If you are using an nginx reverse proxy you could use the site conf file to restrict the login page to only your local network (in the below example 192.168.0.x) or even a specific single IP address (as long as it is static for the accessing machine!) ...
I did this as I found that even though I had not allowed external access to ports 5432 and 22300 through the server's firewall, docker made the ports available to other machines on the network regardless.
I stopped looking at security when I realised that I did not need my Joplin server to be accessible from the Internet and so made it internal only. In fact I do not run anything anymore that is Internet facing, life is a lot easier after making that decision