Wildcard HostSNI matching hijacks all traffic

Creating the following IngressRouteTCP will hijack all traffic:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: app
spec:
  routes:
    - match: HostSNI(`*`)
      services:
        - name: app
          port: 80

This is dangerous if the ingress class is shared between multiple teams.

I don't know the best way address this, perhaps a global flag on traefik deployment to disable wildcard host matching.