When I enable the server on my Android device, it shows two IP addresses below the device name. One is the local IP address (to which I connect to with other devices), the other one most likely one assigned by my mobile data network connection. In my case this second one is an IP address in the 100.64.0.0/10 (100.64.0.0 - 100.127.255.255) network range.
I consider this a bit of a security risk, as I don’t know what else is in that mobile network which could potentially access the server.
Is there a way to restrict binding the server to private IP address space NICs only? This is not necessarily the one offered by the WiFi connection, as usage through a VPN connection can also be desired (yet it would most likely also be a private-range IP address). Or restrict it to WiFi and VPN networks?