When talking about security best practices, our ultimate goal should be to ensure that no unauthorized third-party has to access to any part of either our application or infrastructure that we do not want them to have.
For example, I would want an end user to be able to run a script that calls one of my serverless functions via an HTTP request made directly, by a webpage or mobile application. However, I would not want that same user to be able to access my Kubernetes dashboard, for example.
Now, this may seem like a pretty obvious example, but, as we have seen over the past few years, out-of-the-box configurations do not always have this most basic security requirement in mind. A good example of this is MongoDB.