I asked the same question, and didn't get a great answer: Isolating traffic between containers proxied by traefik - #2 by daniel.tomcej
You definitely don't need multiple instances of traefik. You'd be much better off by just having a single network per service/stack/container. It's a giant pain to maintain, though, so I wrote this to solve your exact problem: GitHub - kaysond/trafficjam: A Docker firewall for your reverse proxy network
The idea is that you have all containers that traefik needs to talk to on a single docker network, then trafficjam will dynamically add iptables rules to prevent all the containers on that network from talking to each other (except traefik, which is whitelisted and can talk to all of them). It works on swarm too, and its a relatively simple bash script so it should be pretty secure.