No, the Postgresql container is exposed only on the VPN interface (Zerotier).

The only exposed containers are (usually) Traefik (80, 443). There is a docker network where traefik talks to all containers handling HTTP traffic.

Other containers run in their own separate docker networks.

As they are using traefik as a reverse proxy, the container is likely not exposed to the internet directly, as long as traefik is there, as it manages all incoming connections.