Per default VyOS will allow NTP clients from 0.0.0.0/0 to reach it's NTP server.
That kind of configuration is not recommended, and would allow malicious usage by NTP reflection DDoS attacks, taking up bandwidth and making the internet as a whole a bit more unsafe.
My suggestion is to completely remove "set service ntp allow-client" from the default VyOS configuration, as any admin that has the knowledge to setup a router from scratch should also be able to configure the NTP server to allow NTP requests from it’s client’s prefixes when needed.
If anyone is able to tell me where the default configurations are, I'm able to make the PR.