Right. I didn’t claim them to be “vanilla installs”.
So I tested removing the official cloudflare template on one of them then rebuilding, unfortunately didn’t make a difference. Still accessible insecurely via IP.
Can’t really think of anything else out of the ordinary between those installs. The only plugins on that instance were the default included docker manager and the official ad plugin. It’s on the stable branch, but the other sites that also behave the same are on a mix of stable, beta and tests-passed.