WOPI allow list restricts requests on the network layer - it’s low level like a firewall - only IP addresses are accepted there, no content awareness…
and just to be clear - it is not “insecure” to leave it open - every access is secured by dynamic token which changes all the time - chances are extremely low somebody could brute-force this token in a short timeframe it is valid.. on the other side if an attacker is in position to steal the token from the client or application - allowlist would not protect against such attack.
what you can do is implement 101: Split-Brain DNS (split-horizon) so WOPI requests remain internal and you could lmit wopi_allowlist to internal network range the idea was deeply discussed in Local access for Collabora with different possible solutions.