Certainly that's the main problem. The instance that we use in our data center has very strict network policies for in and outbound directions.
Only a handful of servers with similar security precautions have access to the server at all (e.g. Ansible Tower) and definitely not a normal webserver, because they would build a bridge between the Internet and Passwordstate, similar the new App Server would do.
Of course you can say that is a safe bridge with strong gatekeepers on both sides (firewall, crypto and so on), but at the end, it's a bridge that didn't exist before.
And I only have the approval for a security concept without such way of communications.