TCI sandbox type for Mashery publication

I ddin't find any direct explanation about TCI sandbox type for Mashery publication (when I want to publish a TCI API application to mashery)

So I guess that, if not specifically stated otherwise, a TCI sandbox should be "Public" for Mashery publication

If this is true, my question is: does this mean that I will have a completely open TCI API endpoint exposed to the internet?

In my architectural design the only publicly available enpoint shoul be the Mashery one, not the TCI, and again, the TCI enpoint should be accessed with some sort of authentication mechanism from the mashery side. 

is there somenthing I'm missing here?

Thank you.

(1) Answer