While the admin page is password protected, the DNS server is not. This is because DNS has no notion of authentication. Leaving your DNS server open will lead to it getting abused for conducting DDoS reflection and amplification attacks. Many VPS providers will likely send you a warning/caution email, if you run a open DNS resolver.

We strongly recommend securing your installation in the following way:
In the AdGuard Home dashboard, go to Settings -> DNS settings. Scroll to the bottom for Access settings and set a list of clients that can access the DNS server. You can also use ipdeny lists (IPv4 and IPv6) to set access and block lists.