It's been a while since I set up my runner, and I have it on my personal desktop (which is wayyyyyy beefier than the VPS I host my forgejo instance on), but I'm pretty sure I was able to specify that only my user account can trigger actions to be run on this runner. What I'm getting at is that there is a decent amount of granularity for forgejo action permissions; you should be able to find a balance that suits you between "no actions at all" and "anyone can run any code they desire on your server".