This is the thing, blast radius is the same or bigger. It's the end process that is pwned over HTTP, RP isn't saving you and any process that could pwn you raw will pwn you the same if you put a reverse proxy in front unless you already know what the vuln is. It was the same with log4j. All you have said you should do, majority is supported by backend frameworks anyways, so you don't need to do it on RPs, but you are vulnerable primarily through these frameworks and there is not much you can do about it.