Securing the metrics endpoint

[Radiergummi]

This is both a question—how do other users of this package secure the endpoint?—and a suggestion: Maybe it would be a good idea to add a section on security to the readme. I'm well aware someone integrating Prometheus into their ecosystem probably knows what they do, but opening up metrics accidentally may still be a huge threat vector.
Therefore I'd like to collect strategies to secure the endpoint, and maybe come up with a secure default to recommend in the readme.

We currently use a middleware that checks the source IP against an allowlist of Prometheus instances (simplified):

public function handle($request, Closure $next)
{
    if (in_array($request->ip(), config('services.prometheus.allowed_ips'), true) {
        return abort(404);
    }

    return $next($request);
}