Published ports only apply to bridge networks (and on swarm overlay networks).
If a container is attached to an ipvlan, macvlan or the host network it will be reachable by the respective container ip. If a service binds all interfaces inside a container, that port will be accessible over a ipvlan, macvlan or host ip. Since you already use fixed container ips, why don’t you just bind the service to a specific ip, instead of trying to prevent it from being reachable on the ipvlan ip?
Depends on the service/application. You would need to figure this out on your own for each(!) service/application individually.
I am not sure. I don’t use ipvlan, or macvlan I can’t tell you what the default gateway for a container would be. Never looked at it to be honest, as I neither use ipvlan, nor macvlan.
It is unlikely that images provide an environment variable to set this, as images are usually designed to bind the port to 0.0.0.0 (=all ips). Depending where the main process is started, it could be in the Dockerfile, the entrypoint script or a configuration file of the service/application.