The app is designed to work from anywhere if the hub has outbound access to the internet. Most of the time, Webrtc can make a direct connection between the app and the hub, and if that fails it can fall back to sending an end-to-end encrypted data stream through a cloud relay.
There's no way for you to turn this off short of blocking access from the hub to the internet at your firewall -- but if you do that you'll have other problems too, e.g. the hub won't get software updates, and the time will not be kept up-to-date, etc. If you really want to, you can try limiting the range of ports used by outbound webrtc connections (which you can specify in settings > show advanced settings) and then have your firewall block traffic on those ports. Use the highest part of the range to avoid conflicts with other services.
A better approach, if you're comfortable with still having remote access under some conditions, might be to instead set an "extra password" on your account, in the users tab. That password is kept only on your hub, and is never sent off the hub ... It will be required for all accesses, and there's no way that anyone else other than you could know it.