I think you're on the right track here. I don't know that I can completely comment on "best practices" without a bit more reading on/exploration of the topic, but config.yml is definitely my favorite approach. Nothing says the config.yml file needs to be stored in GitHub (in many cases, it might not be for secrecy). However, it is deployed with your code bundle to shinyapps.io.
One of the really nice benefits of the config package is that it can pivot based on the environment (i.e. shinyapps.io can connect to a different database than locally or on a RStudio Connect instance by using the R_CONFIG_ACTIVE variable shinyapps, noted in the shinyapps docs here )
This is my go-to link on the topic, in case you are interested in further reading: https://db.rstudio.com/best-practices/portable-code/
After that, I would recommend a thorough perusal of the shinyapps docs. It has several tidbits in there about security, IP address permissiveness, etc.