Honestly I don't see how we could use the cloud version unless we could at least lock it down the same way we do behind a firewall; VPN or office only.
It's weird - the last company I worked at (and ran IT for about 4 years had everything behind a firewall (like you are describing) - the current gig that I started at about 18 months ago (with about 80 employee) - no concept of a firewall. The entire office just sits behind a Comcast Modem. There is nothing to firewall. Atlassian/Salesforce/GitHub/CircleCI/Gmail/GoogleDocs/Drive/Slack/Lots of K8S and about 15-20 other cloud services make up our "IT" environment. There is zero difference to working from home to working from the office from a tech perspective.
Defense in depth is always a nice thing to have but it hardly seems like a requirement since the reason you lock down services behind a firewall is supposed to be because they're aren't hardened enough to be on the public internet. I don't think that would describe the Atlassian suite who probably has better SecOps than most of their customers.
The post you replied to mentions other methods to separate a service, not being hardened enough is only one of the reasons you would want to do that. A major one being that many Jira deployments are only useful internally anyway so there is no reason to expose it to the outside world.