Yes, that is also what I apply to compose manifests.
The problem is rather that it is always a deviation from defaults and ime can be easily forgotten/ overlooked.
It also was at the beginning a bit surprising (listening on 0.0.0.0 and inserting an iptables rule that bypassed my ufw ruleset). Many services listen on on 0.0.0.0 by default but they rarely do it while bypassing the normal host firewall mechanisms.
However, can't you just use e.g. `-p 127.0.0.1:8000:80` since you're aware of the issue? Pretty sure both the CLI and compose support this.
What I do is to only use rootless docker/podman and then forward the ports with nftables rules.