Based on your link, I think what you are saying is that:
XDCR requires a VPN or SSH tunnels to work securely?
And the only way to prevent remote traffic from getting to 8091 and 8092 require the firewall to do the blocking.
There is no way for the 8091 and 8092 to reject traffic from non-localhost?
That way I can have 2 layers of prevention and no single point of failure, in this case configuration of the firewall vs intelligence in couchbase to prevent unwanted connections.