If Homey can connect with the Athom cloud servers, it will.
And, from what I know, it will always be accessible through the “external” address (https://CLOUDID.connect.athom.com/, if I remember correctly), no way of turning that off (which is, of course, a bit silly if one of the big selling points of firmware v2 was “security”).
To connect to cloud server from homey upward, that is ok. This is for all the services like external api connect and similar. Relay service over CLOUDID.connect.athom.com is server side service which should be circumvented only by VPN. From security point of view ok one attack surface less but generally I wouldn’t disable it as I loose so much without it. Generally if someone wants to do it i think athom could really simply implement it. That is a matter of should I allow relay to CLOUDID.connect.athom.com or not.
Forwarding ports directly to homey itself is the worst someone can do…
Exactly, really silly! In addition athom desided to use homey+cloudID as the hostname since firmware v2.1. Which means everyone who as access to your network an starts a networkscan, knows your cloudid. I don’t mean an attack, I just think of friends of mine, who sometimes get temorary access for different reasons.