The default configuration for luci-app-adguardhome sets the http and dns bind_host values to 0.0.0.0, making your instance publicly available. This is for both the DNS server and control interface.
This also seems to be reset with updates.
It does default to being disabled when installed so it is safe to install, just be sure to edit your config file before enabling it.
That should not be the case: 0.0.0.0 means bind to all interfaces, but you still need to open a port before the instance can be reached from WAN. I am not sure there is a reason for panic just yet.
I would think that the default firewall would make this a non-issue
I think other packages bind to all interfaces with 0.0.0.0 (dnsmasq for example) but the default firewall configuration will prevent inbound connections, unless there is a explicit firewall rule in place to allow this, which will have to be either manually done or by added by a package.
I'd imagine it is bound to any interface by default so that it can work regardless of what the LAN subnet might be, given there are many combinations.
It is also worth pointing out that this not an official OpenWrt Luci app:
So when using Luci apps or packages outside of the official repositories, you need to be more cautious.
luci-app-adguardhome is 2 years out of date and will not have the new AGH options. It is far preferable to have AGH web interface on a different port (8080) and configure it from there.