The Mosquitto MQTT Add-On Configuration page allows one to set the port numbers for the four MQTT listener ports, but it does not allow one to specify the corresponding bind_addresses. For HA instances which have multiple interfaces this results in MQTT opening ports on all interfaces. Good security policy requires limiting access to MQTT to only the required interfaces.
In my case, MQTT is only used by services on the machine hosting MQTT, so my preference is to specify a bind_address of 127.0.0.1 for all ports. Even those people who have MQTT requirements outside the HA host machine would probably want to avoid exposing MQTT to their IOT or Guest interfaces.