Hello,
I’m not too familiar with the ePMP range of products, but on the PMP 450 series there is a secret root password; if they are similar I would look at changing the root and admin (these are different on the 450) password and keep it same in a password manager. @Eric_Ozrelic are you able to confirm if this the same for ePMP?
I would also ENSURE that AAA Authentication, Radius is enabled!!
Having access to 169.254.1.1 isn’t a large security risk, by removing this IP is Security by Obscurity and as you know, Security by Obscurity is NO Security at all!
The 169.254.1.1 is non-routable through their home router and cannot be seen using ICMP; However if they were to bypass your home’s router they’ll be able to access the ePMP through the MGNT IP address you’ve assigned (static or dynamic private IPv4, CGNAT, public IPv6, etc, etc) in the ePMP SM, along with 169.254.1.1