How to verify that an application is only serving to my LAN (not the internet)

Note: This is a sister post to https://www.bleepingcomputer.com/forums/t/797829/setting-ip-address-and-name-using-router-settings-vs-networkmanagerhostnamectl/, but the question is distinct, so I'm posting separately in hopes of making the discussion easy to follow.

So, I have set up this old laptop with AlmaLinux as a Samba server on my LAN. I configured Samba as follows, following a tutorial I found on the Red Hat website:

1. Installed samba and samba-client, then enabled the service with sudo systemctl enable --now {smb,nmb}
2. Allowed it through the firewall: sudo firewall-cmd --permanent --add-service=samba
3. Created a user specially for use on Samba client: sudo adduser -M sambauser -s /sbin/nologin
4. Created a Samba password for this user: sudo smbpasswd -a sambauser
5. Created a Samba share directory: sudo mkdir -p /shared then sudo chmod 777 /shared
6. In /etc/samba/smb.conf, appended the following:

   [asuslaptop-samba]
       path = /shared
       guest ok = no
           read only = no
   

7. Configure SELinux to allow remote access to the shared folder: sudo chcon -R -t samba_share_t /shared

After setting up a static DHCP lease and forwarding sambaserver.local to the server's IP in my router settings (see sister post), everything works as intended: I can access my Samba share over LAN by browsing to smb://sambaserver.local and typing in the username and password.

Now my question is just ... how do I know that I am serving my Samba share only over LAN and not to the entire internet?

The firewall-cmd where I let Samba through does not seem to say anything obvious about how "widely" it is opening up the firewall. In man firewall-cmd, I have read about the different firewall "zones" such as public and block, but the documentation speaks only about the intended use case for each of these zones (e.g. public is for "public wifi" networks where you don't necessarily trust other devices on the network), but not what kinds of traffic they actually allow and disallow, nor whether/how the firewall handles traffic originating from or destined for beyond the local network.

I have also set up the Cockpit web interface for my server, which is accessible on LAN, but I couldn't get to it from outside my home wifi when I tried typing in its external IP address (obtained from curl ipconfig.io) followed by :9090 (the port used by Cockpit), which makes me think that the firewall is doing what I want it to do (allowing communication only within the network)—but it bugs me that I don't have "positive proof" of this.

Yup!  That's your firewall's job to isolate your Samba server (or any other server) from the Internet.  Servers are clueless about firewall rules restricting their reach.