Ok. more reading and video watching.
In July of 2022 Ken and I did this Ziti TV
It shows you how to successfully 'harden' the ziti controller by "splitting" the management API off and away from the public internet.
This topic was also covered in discourse in 2022 here: Making ZAC dark - #6 by TheLumberjack and lightly here OpenZiti configuration files - #5 by TheLumberjack and ZAC On different host than the controller - #2 by TheLumberjack
As for separating the node from the controller/router, I might caution not to do that but -- that's also been covered in a recent post here Building simple network from scratch - Help - #13 by TheLumberjack where I demonstrate how to have three totally separate machines interconnect but you can also find other posts of that flavor on discourse too I think. Also, the "docker - no compose" quicsktart very specifically shows you how to accomplish that pretty clearly too imo. Local - With Docker | OpenZiti
One part that's missing (on our 'todo' list) is to update the quickstarts to use ALPN. Right now, you'll see all our quickstart / doc refer to the "control plane port" (where routers communicate to the controller) and the "client api/management api" port (where the REST-based api is). Well now-a-days you can just use the same port and with ALPN ziti will figure out if you meant http traffic or control plane traffic... Same for routers too. Routers need two ports in our quickstarts one for router to router comms (the data plane) and one for edge clients to connect (tunnelers/sdks/etc)... ALPN solves that too.... So that's "out there" but not in our quickstarts yet.
hope that helps...