If you’re not app-embedded, you need tunnelers of some kind. You can either have the tunneler running inside an edge-router, in which case you need the tunneler binding, or you can have it running standalone, in which case you don’t. A standalone tunneler looks just like any other SDK app to the edge router.
I think usually public/private routers refer to where they sit on the internet, in public or private networks.
Public routers are those that can be reached on the public internet. Public edge routers can be used to allow clients coming from arbitrary locations access to a ziti network. Public routers (either fabric or edge) can also be a means for routers in private networks to be bridged together. If you have private routers in private networks A and B, they can’t reach each other. But they can both reach out and from links to one or more public routers, allowing traffic to flow from A to B (provided you have the right policies configured).
Private routers are those that are in a private network. They reach out to the public routers to form the fabric mesh and provide access to the services that are in the same private network. They can also provide access to clients in the same private network.
If you removed everything from the listeners section you wouldn’t be able to initiate any connections to that router. Depending on what you had in the dialers section, you might be able to have traffic terminating on that router.