FWIW, here’s my compose file. I 100% use https for everything internal. With LetsEncrypt and Pihole, why wouldn’t you? It’s dead-simple.

networks:
  backend:
    external: True

services:
  vaultwarden:
    container_name: vw-svr-00
    image: vaultwarden/server
    environment:
      - TZ=My/Timezone
      - DOMAIN=https://my.internal.domain/
#    ports:
#      - "82:80"
    volumes:
      - ./vw_data:/data
    networks:
      - backend
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vaultwarden.rule=Host(`my.internal.domain`)”
      - "traefik.http.routers.vaultwarden.entrypoints=websecure"
      - "traefik.http.routers.vaultwarden.tls=true"
      - "traefik.http.services.vaultwarden.loadbalancer.server.port=80"

edit: I also run my instance on a subdomain vs a path. So my instances is actually at vw.internal.domain.

Yes. You can enable password requirements to install them. iOS at least, don’t know about Android.