this is exactly how the WOPI protocol works. Connections always use public FQDN which usually results in going through the public internet as long there are no special measules like splitbraindns (101: Split-Brain DNS (split-horizon)) are in place.
yes the connection is secured with a token. limiting network ranges adds additional security layer which might or not be required for your specific installation.
