I specify it in org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS

Yes, no-tcp-relay is there, but that doesn’t worry me: this host is in the DMZ and cannot connect to the internal network (except for a few ports).
But if I understant it correctly, specifying allowed-peer-ip=172.16.69.25 will allow external hosts to send udp packets to any port at 172.16.69.25 (i.e. the internal ip of the jitsi/coturn server) and that does worry me. There are not many services listening on udp (coturn itself, dnsmasq, ntpd and systemd) but who knows what can be done by accessing those (especially systemd).

No, it cannot be it: according to the manual page of coturn, its white/black lists are for addresses it can relay to, not the addresses it will accept connections from.

about coturn and systemd, coturn does not by default relay to localhost. If systemd listens on the network on your server it’s not normal, by default it does not.

It was the rpcbind.socket listening on 0.0.0.0. I didn’t explicitly enabled it, so it must be active by default. I disabled it.