For instance how can I use my *.domain.com SSL certs and NPM to route containers to a subdomain without exposing them? The main domain is exposed.
I have that setup, my domain is hosted by OVh and they have an API that you can use to get a wildcard certificate with.
At home I run pihole and that has some sites in as local IPs, but if you look the same site up from OVH you would get an internet IP