So to be clear, I REPEAT, the only forwarded port is 83333
First of all, why are you doing that? It's not required to forward that port to run a full node.
The password change did not stop the pool switching, the only thing it stopped it was making that config file read only so there is something in the software that tries to change the pool.
Of course, if someone planted a script on your machine that periodically goes to the config file and changes the pool settings, changing password doesn't help,
because they're already inside.
I am myself considering installing my own Linux distro on mine & connecting the Apollo 'to itself' using a short USB-A => Micro-USB cable, in light of these vulnerability reports. Had no issues with it so far, though.
In the setup guide it is mentioned to forward port 83333 to have maximum node connections....I did what it says there...I am no Linux expert so I followed the guide...