[1] Specifying something other than 127.0.0.1 (i.e. a different interface or a wildcard address) with the -r parameter of the cli_wallet is not recommended by the developers, and should only be attempted by experts who understand the risks, are running in a properly firewalled and isolated LAN, and trust every user and machine on that LAN with direct access to their funds.

If cli_wallet is started with -H parameter (HTTP-RPC), there is another parameter --rpc-http-allowip, which by default is empty, so nobody include yourself can connect to the cli_wallet, so funds should be safe if I understand correctly, even if no firewall or not specified 127.0.0.1. To enable access via HTTP-RPC, here is an example:

./cli_wallet -s ws://127.0.0.1:8090 -H 127.0.0.1:8093 --rpc-http-allowip 127.0.0.1