While the initial request will be outgoing, the db will respond on port 1433 as well won't it?
This is a bit technical but the DB will respond to the port from which the request was made. This is usually a dynamic TCP port that the Cloudron app opened. The firewall has special rule to allow all incoming packets if it's an "established" connection. This is the reason why an outsider can connect to a port as long as it was cloudron that initiated the conversation first.