If you consider your home network ALWAYS compromised, it means you shouldn’t use your home network in the first place, let alone an automation platform. Your home door can be opened in traditional ways, so you always consider your door ALWAYS compromised too? What about the keypad accessories Nuki sells? Those are compromised too?
That is absolutely not correct, it depends on how you setup security of your network, your servers, your infrastructure in general, and access to the MQTT server. But even without MQTT, if someone has full access to your network, it can access Nuki via all the other interfaces (REST, Bluetooth, etc.). How are you using Nuki now in HA, with the nuki_ng component and the bridge? If not, are you simply using the mobile app? And don’t you consider your mobile phone TOTALLY compromised too? What about the cloud access, you trust opening the lock from the cloud?
In any case, what you ask (even if totally wrong conceptually) cannot be done, read HA documentation on MQTT locks (I underlined the relevant statement):
What does a firewall have to do with a lock? What a confusion. We’re talking about integration of a lock in a home automation platform, and there are pre-requirements and constraints in order to do so.
Another conceptual thing: Nuki will access MQTT but it won’t send COMMANDS. HA will send commands, and you can configure a secure MQTT connection between HA and MQTT, so the commands to open the lock through MQTT will go through a secure connection if you configure it properly. Furthermore, the secure connection between the lock and the broker only encrypts data flowing locally, but if you have user/pw to the broker, it doesn’t improve security. MQTT secure is necessary when sending sensitive data to a public broker, a LAN broker is not the proper use-case.
So concentrate on securing your network, your HA server, before thinking about the end device.