I think this is really a must have, probably the biggest missing feature right now. I fixed this temporarily by running easypanel on a DigitalOcean droplet and enabling (a free) VPC Firewall for that Droplet. I disabled all incoming traffic except 443 from my home IP. However, this will likely break ACME challenges needed for Lets Encrypt certificate renewals. I didn't test that yet, but it should be addresses somehow.

An application firewall, per project or per app, service, template would be great! I would at the least like to make an IP whitelist and block all else. I think the system firewall (ufw/iptables) could easily be utilized for that.

Or alternatively if choosing a blacklisting strategy: have access to an (geo) IP blocklist, fail2ban like features, crowdsec IP list ban, known VPN ip ban, known TOR ip ban et cetera.