That isn't my presumption about nature of the concern. In OP's other comment they specify that the client is specifically worried about the open port.

Well, if you allow remote access, you conceptually allow some kind of logical inbound connection, no matter how it's technically realized.