If you're running a web server, I'd open ports 22 (SSH), 80 (HTTP), and 443 (HTTPS).
If those ports are blocked, you won't be able to get in to your Droplet or receive standard web traffic. Console will still be available if you lock yourself out, though if you're using SSH keys, Console won't be an option as SSH keys won't work there.
The thread you linked to isn't stating that you'll end up giving access to data, it's stating that the port is not encrypted (but neither is port 80, which is why HTTPS goes over 443 if enabled).
So what can you do? You can limit what IP's access the port -- that'd probably be best in any case if it isn't something you don't want the public to be able to access. To do this, you'd need a static IP, or a VPN.
You'd whitelist the IP of the VPN, connect to the VPN and then connect on that port. If you aren't on the VPN, then you wouldn't be able to access that port (the same would apply to everyone).
You can whitelist multiple IP's or IP ranges, so if you have multiple users that need to access that port, you can add multiple IP's -- though keep in mind, they need to be static IP's otherwise you're going to end up removing and adding IP's often. It's not an issue, just more of a burden since you have to keep up with everyones IP.