Allowing unrestricted, public access to cloud services could open an application up to external attack. Disallowing this access is typically considered best practice.
In GCP Console -
In Terraform -
References:
https://cloud.google.com/appengine/docs/standard/creating-firewalls
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/app_engine_firewall_rule#action