Port expose not possible without network, which is not internal?

General
1

Hey there,
I have a container (a database) which should only be accessible within internal docker networks.
I can create an internal docker network, but if I attach it to the container, and I do not have another network attached to it, the exposed ports are not available.
If I attach a network which is not internal (--internal not set), the port is available.
Is there a possibility to attach a container only to internal networks, and to connect from another container to it (within same network of course)?

version: '3'
services:
  mariadb:
    image: mariadb:latest
    restart: always
    environment:
    MYSQL_ROOT_PASSWORD: ZENSORED
    expose:
      - 3306
    volumes:
      - "data:/var/lib/mysql"
    networks:
      - database

Network database is internal: sudo docker network create database --internal --attachable
sudo docker ps:

CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS                        
PORTS                                                             NAMES
d7ae6be288c9        mariadb:latest                 "docker-entrypoint.s…"   56 minutes ago      Up 56 minutes                                                                                     database_mariadb_1
c275320a1b6e        nginx:latest                   "nginx -g 'daemon of…"   About an hour ago   Up About an hour                80/tcp                                                            nginx

As you can see, nginx has exposed ports (it is connected to a non internal network, database_mariadb_1 does not have exposed ports.