How to set-up Firewall and/or Proxy to protect my Cloudron instance?

Thanks for your attention and my apologies for not being able do read your source code before posting here. Actually I tried to, but when following the https://git.cloudron.io/cloudron link ( at https://www.cloudron.io/opensource.html ), this gitlab landing page looked like I'd need an account in order to read the code.
Now that I view it again, I see it actually has a link in the footer (labeled as "Explore") that allows anyone to view the code. A little counter-intuitive, as all of the other footer links only regards to the gitlab project itself.
Anyways, I hope this "discovery" makes me (and others) avoid unnecessary or malformed questions in this forum.

That said, I think that security and privacy deserves more attention on your documentation (and maybe in some parts of the PaaS product). The used UFW rules are just too permissive (which is OK inside a SOHO network), but could be better tailored with a drop-in file to make user-provided custom firewall chains; writing a blocklist in a little web text field (or posting it via an API without knowing the maximum payload size) seems unreliable; this lack of explicit documentation about reverse proxying, WAF (etc) just annoys part of your potential customers. Also, while being something not simple to safely deploy, Cloudron could have built-in (or a documented tweak for) traefik.io (or any WAF) integration; some encryption/obfuscation mechanism (at least) for end-user data on the docker volumes (protecting the data-at-rest from third parties); and maybe allow to install some monitoring agent inside each app deployment.

What worries me is that, while having great respect for the Cloudron project and product, maybe just deploying Cloudron "as-is" in a VPS would create security breaches that are (unnecessarily) worse than the privacy breaches regarding the Big Tech ecosystem.

• I recently purchased a Cloudron license but until now I could't actively use it due to security concerns: I wish to have another VPS instance (in the same VPC) acting as a gateway (to my Cloudron), such that it could provide reverse proxy (NOT ONLY for HTTPS), maybe packet filtering, vpn and whatever else a gateway/router would do.
• Other posts that I found in this forum were not specifically helpful, and, as of now, the documentation about it is somewhat terse (https://docs.cloudron.io/networking/#firewall).
• So I humbly ask the following:

1. What EXACTLY (on the linux system and wherever else) does the "Trusted IPs & Ranges" setting do? The GUI description suggests it only applies to HTTP, but why is that? Whats the difference
2. What EXACTLY (on the linux system and wherever else) does the "Blocked IPs & Ranges" setting do? Is it just transpiled into Cloudron's instance nftables/iptables?
3. What is the maximum number of lines that the "Blocked IPs & Ranges" and "Trusted IPs & Ranges" can take? And how long does it take to be in effect?
4. Could Cloudron's staff shine some light about this at the documentation? I found other forum topics asking for clarifications on networking configs like this, so maybe it deserves to get more detailed documentation.