Create a private network that only connects Traefik and the proxy, and limit Traefik's access to only the GET requests it needs to operate. Now the socket is only exposed to a local container.
This just adds another layer of indirection. While it improves security, it is not the same as fixing the issue in the first place and making sure that no network-facing part of the system runs as root.