If you wanted to have a single cluster, that would likely require maintaining a firewall which only allowed intranet traffic to your intranet-only clients or possibly setting up a proxy container (haproxy, nginx, etc) within the cluster to enforce these rules.
In the proxy container setup, in order to not have to update a single proxy every time you add new apps or changed existing ones, you might even have each app have a proxy setup for that app. I’m referring to apps here as a set of related containers which together provide a service to the users. Those proxies would publish the ports that it’s proxied containers would otherwise publish, filter traffic based on e.g. client ip addresses and forward the traffic to the proxied containers when appropriate.
So, it’s possible to have a single cluster but requires a bit more work to secure the intranet applications properly so that they’re not exposed to the public. Having two separate clusters might be easier to maintain.
Oh, and if you’re hosting the swarm apps in the cloud, you’ll probably be able to utilize tools provided by the cloud service to filter traffic before it hits your cluster. Even in this case though it’s probably easier to have two separate cluster environments so that you can do simple filtering based on IP address ranges rather than having to constantly manage what ports must be allowed/filtered based on hosted applications being added to the cluster.