> You aren’t supposed to have it on a public subnet.

That's an incredibly bad assumption. To have defaults assume that you are on a protected network (what does that even mean? like what permissions are assumed just because you are on the same network? admin?) is just bad practice.

Private networking for internal things like databases has been the standard best practice for a long, long time.

Safe default configuration has been the standard practice for even longer.

I’m all for both.

It's not anymore! They actually changed their defaults and it helped tremendously to reduce the exposure of Redis instances on the Internet.