Hi @m121 thanks for the bump, missed this post.
This appears to be similar to a related post.
The config.json file is simply plain-text. It is up to you to ensure the directory is not publically accessible through some configuration mishap (I have seen this here before) and that the files have pretty standard file level permissions for a vw-user service account of some kind.
Best practice would be to have a directory owned by a specific service user, have docker rootless run for that user with your Vaultwarden instance running as that user.
Even going so far as to have the /admin interface on some type of WAF reverse proxy and only restrict access for internal and VPN connectivity.
But that starts to get out of scope of this post.
Hope this info helps