I mean this is true but the key part is “securing them for exposure on the internet.” Adding a simple 2FA layer (I think google calls this the Access Proxy or Identity Aware Proxy) on top is usually the way you secure zero trust services.

I don’t think it is advisable to directly expose your Grafana to the public internet where you can hit it with dictionary attacks.