Using experimental and 0.0.0.0:9323 pretty much export the port to the public is there other secure way to export this, and not show it to anyone?

On any cloud provider only 80 and 443 ports are exposed by default on the internet. If you are running this on bare metal, you should consider using a firewall and block this port. If the metrics endpoint would be exposed via a socket like Docker API is, it would be way more secure. Maybe Docker will do that in the future, I've seen some discussions in the Moby project around this topic.

Thanks, I'll consider using firewall apparently all ports are open on my cluster

I followed docker official guide and used 127.0.0.1:9323 in my daemon.json on manager node only and it works perfect, don't see need of exposing to 0.0.0.0 address.