Depends with your security priorities and if you trust the software you plan on using. Securing software/docker containers can be as deep deep a rabbit hole as you willing to go.

I don’t check it all the time like a maniac but I have a glances docker running on my main server.

Installing fail2ban and not configuring it is as good as not installing the program in the first place.

Include unattended-upgrades with configuration for security updates. This is essential to any actively accessible server.

Some good advice here. I would say avoid using network_mode: host unless you really have to. And make use of no-new-privs feature. This is easy to do and IMO bare minimum for preventing rogue actions from containers.

This is a skill issue. Shut down every thing you don’t consider a necessity. Problem solved.