A unseen open port like 2375 for accessing the Docker daemon on a host from outside of the network could be a security nightmare. Limitation of the attack surface by only opening unix:///var/run/docker.sock or using localhost:2375 limits the scope of reachability to the host locally. To securely access a remote Docker daemon with tools like portainer or a switched Docker context CLI, use TLS encryption or a SSH connection. Here are two examples, one using TLS and the other SSH.
Create a CA, server and client keys with OpenSSL on the Docker host machine
openssl genrsa -aes256 -out ca-key.pem 4096