It should also be possible to uninstall the service, if you don’t want to use it.
Of course, there should be an option to bind the websocket to an ip address (so maybe open an issue in github.
If you are planning on putting OH directly on the Internet, please don’t. Use (in order of preference) myopenhab.org, a VPN (tailscale and Cloudflare are ready and popular), a self hosted openHAB cloud server, or a reverse proxy.
What little security that exists built into OH itself is not sufficient to protect itself if directly exposed to the Internet. And even if it were, you’d want to set up firewall rules, in addition to fail2ban and a monitoring system and regimen.
I’ll also note that many add-ons open additional ports unique to that add-on.
If you are not exposing OH to the Internet, what are you protecting OH from?