You could use the fileaccesscontrol-app to restrict access to local or other ip ranges. There has been some improvements for the latest version:
For each client you can set up individual app passwords (not the normal user login, which could have an additional security feature like 2FA).