You'd still expose port 53, and IP addresses can be spoofed.
The main concern here is that you expose Pi-hole to be misused as an an open resolver, posing a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack .
Note that the Pi-hole team strongly discourages Pi-hole’s usage as an open resolver, and we won't provide support in that case.
As chrislph has pointed out, the recommended way to access a cloud-based Pi-hole would be via authenticated, secure VPN connections exclusively.
An alternative approach would be to host a public Pi-hole behind a DNS-over-TLS (DoT) proxy on port 853, as DoT would effectively eliminate the risk of amplification misusage.
The same would be true for a DNS-over-HTTPS (DoT) proxy.
Some cloud providers may offer the necessary software and instruction how to do this, and we also received reports from users successfully adding Pi-hole to such a solution, e.g. Specifying UDP Bind Address - #22 by matan129.