At the moment the server just listens to localhost. Before allowing non-localhost access*, would make sense to at least have some basic rate limiting for incoming queries. Maybe there's something off-the-shelf for this?
Also worth pointing out that an upstream firewall or similar could provide this as a stopgap.
I'm now somewhat leaning towards just saying "hey maybe don't expose this on the internet". I'm also thinking that any rate limiter implementation would need to be carefully thought out as it otherwise risks creating problems for people, even in LAN situations. But I'll leave this open as a longer-term wishlist item.