DANGER, WILL ROBINSON!
You are correct that once you create the publish to web link, it is effectively “out in the wild”. And embedding Publish to Web behind a secure portal doesn’t necessarily make it secure. Watch this scary episode of Guy in a Cube for one example.
There is really no way to confidently secure sensitive Power BI reports without proper licensing. If there were, Microsoft would have no way to recoup any of the massive investment they’ve made in this platform.
-Brian
