The part where Android does not allow incoming connections by default is comforting however as the application I am familiar with was included in my phone's build and that server could have been active by "default" by the vendor's standards, please don't get too comfortable with the idea that all incoming traffic is blocked. When the server (or any server) is running something is being allowed in otherwise the outside client could not discover the existence of the server or it's capabilities.
NetGuard does a very good job managing the traffic it has access to. It can't cover all contentions or it would be a huge application and Marcel would lose his mind.
I agree about the use of server applications on a phone. There is far too little user control over the inner workings of Android (unless you Root and are schooled, wise and careful) for servers to be safe. I use the FTP service in the application I have under strict controls and with the understanding of who provided the application (China) for the function of transferring GPX and mp3 files without having to physically attach my phone to my desktop. In concert with FireFTP on my browser I have an easy way to manage the files on my phone
The secret to all of this is be careful and trust only after verification. Read the end-user agreements and weigh the benefits of the application against the loss of privacy and security risks. We are all little bits of income for companies and thieves.