In one sense the security is "added". But in another sense it's a false sense of security. Because if someone wants to get at you the simply have to get a DO server in the same place and potentially exploit the fact that people have their guard down. (The closest example I can think of is people who have firewall and don't spend as much time locking down the machines behind the firewall because they think they are covered.)
The real security this provides is that now your access polices for firewall are much simplified. You can maintain a very reasonable back end network of hosts that aren't exposed to the public Internet and spin up a droplet to be your jump/bastion box, run certificates and lock SSH down to a sane source to an individual host (only the jump/bastion and not public).
Beyond that it adds no functional security - in fact port scanning on the inside will be much more fruitful with regard to services that default to starting on 0.0.0.0. With that in mind - make sure you're not exposing things that you don't mean to be on the backend.
In one sense the security is "added". But in another sense it's a false sense of security. Because if someone wants to get at you the simply have to get a DO server in the same place and potentially exploit the fact that people have their guard down. (The closest example I can think of is people who have firewall and don't spend as much time locking down the machines behind the firewall because they think they are covered.)